b"   September 28, 2006\n\n\n\n\nInformation Technology\nManagement\nReport on Defense Civilian Pay\nSystem Controls Placed in Operation\nand Tests of Operating Effectiveness\nfor the Period July 1, 2005, through\nJune 30, 2006\n(D-2006-120)\n\n\n\n\n            Department of Defense\n           Office of Inspector General\nQuality             Integrity        Accountability\n\x0cAdditional Information and Copies\n\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. If you have questions or\nwould like to obtain additional copies of the draft report, contact Mr. Michael\nPerkins at (703) 325-3557 (DSN 221-3557) or Mr. Sean Keaney at (703) 428-1448\n(DSN 328-1448).\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Office of the Deputy\nInspector General for Auditing at (703) 604-8940 (DSN 664-8940) or fax (703)\n604-8932. Ideas and requests can also be mailed to:\n\n                     ODIG-AUD (ATTN: Audit Suggestions)\n                     Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c\x0cTable of Contents\nForeword                                                                  i\n\nSection I\n      Independent Service Auditor\xe2\x80\x99s Report                                1\n\nSection II\n      Description of DCPS Operations and Controls Provided by DFAS and\n         DISA                                                            11\n\nSection III\n      Control Objectives, Control Activities, and Tests of Operating\n         Effectiveness                                                   23\n\nSection IV\n      Supplemental Information Provided by DFAS and DISA                 89\n\nAcronyms and Abbreviations                                               93\n\nReport Distribution                                                      94\n\x0c                                   FOREWORD\nThis report is intended for the use of Defense Finance and Accounting Service (DFAS)\nand Defense Information Systems Agency (DISA) management, its user organizations,\nand the independent auditors of its user organizations. Department of Defense (DoD)\npersonnel who manage and use the Defense Civilian Pay System (DCPS) will also find\nthis report of interest as it contains information about DCPS general and application\ncontrols.\n\nDCPS is a pay processing system used to pay DoD civilian employees, as well as\nemployees at several other Federal entities, including the Departments of Energy, Health\nand Human Services, the Environmental Protection Agency, and the Executive Office of\nthe President. In 2005, DCPS processed approximately $42.3 billion in pay transactions\nand paid approximately 789,000 employees on a biweekly basis.\n\nThe DoD Office of Inspector General is implementing a long-range strategy to conduct\naudits of DoD financial statements. The Chief Financial Officers Act of 1990 (Public\nLaw 101-576), as amended, mandates agencies prepare and conduct audits of financial\nstatements. The reliability of information in DCPS directly impacts the Defense\nDepartment\xe2\x80\x99s ability to provide reliable, and ultimately auditable, financial statements,\nwhich is key to achieving the goals of the Chief Financial Officers Act.\n\nThis audit assessed DCPS application and general computer controls and related\nprocessing. DFAS and DISA are responsible for managing and maintaining DCPS\napplication and general computer controls. This report provides an opinion on the\nfairness of presentation, the adequacy of design, and the operating effectiveness of key\napplication and general computer controls that are relevant to audits of user organization\nfinancial statements. As a result, this audit precludes the need for multiple audits of\nDCPS controls previously performed by user organizations to plan or conduct financial\nstatement and performance audits. This audit will also provide, in a separate audit report,\nrecommendations to management for correction of identified control deficiencies.\nEffective internal control is critical to achieving reliable information for all management\nreporting and decision-making purposes.\n\n\n\n\n                                             i\n\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report\n\n\n\n\n                       1\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0cSection II: Description of DCPS Operations and Controls\n              Provided by DFAS and DISA\n\n\n\n\n                          11\n\x0c\x0cA. Overview of DCPS\nPurpose of DCPS\n\nIn 1991, DoD selected DCPS as its standard payroll system. DCPS is used by all DoD\nactivities paying civilian employees, except Local Nationals and those funded by Non-\nappropriated Funds and Civilian Mariners. Before becoming the DoD-wide civilian pay\nsystem, DCPS was the Navy civilian pay system, which had been in operation since\n1988. DCPS began paying the EOP in 1998. The President\xe2\x80\x99s Management Agenda e-\nPayroll initiative requires DFAS, as one of four federal payroll providers, to service the\nentire executive branch of the Federal government. DFAS began processing payroll for\nthe Department of Energy in 2003, the Department of Health and Human Services in\n2005, and the EPA in 2006. As of June 30, 2006, DCPS currently processes pay for\napproximately 789,000 employees.\n\nThe DCPS program mission is to process payroll for DoD civilian employees in\naccordance with existing regulatory, statutory, and financial information requirements\nrelating to civilian pay entitlements and applicable policies and procedures. The DoD\ncivilian pay program must satisfy the complex and extensive functional, technical, and\ninterface requirements associated with the DoD civilian pay function. The functional\nareas include: employee data maintenance; time and attendance; leave; pay processing;\ndeductions; retirement processing; debt collection; special actions; disbursing and\ncollection; reports processing and reconciliation; and record maintenance and retention.\nDCPS provides standard interface support to various accounting, financial management,\nand personnel systems. From a life cycle perspective, DCPS is in the maintenance phase,\nwith system changes mainly resulting from legislative and functional requirements.\n\nApproximately 2,900 payroll processing personnel at three DFAS payroll offices located\nin Pensacola, Florida; Charleston, South Carolina; and Denver, Colorado use DCPS.\nDCPS is also used at NSA. 1 Additional users include Customer Service Representatives\nat customer activities and sites. The three DFAS payroll offices process payroll for all\nDoD civilians. The Pensacola payroll office processes EOP payroll; the Charleston\npayroll office processes Departments of Energy and Health and Human Services payroll;\nand the Denver payroll office processes EPA payroll.\n\nDCPS Support Functions\n\nThe DFAS Standards and Compliance Division (under the cognizance of the DFAS\nDirector) provides high-level management control and coordination within DoD and for\nDCPS external customers. The Civilian Pay Services Product Line and the System\nManagement Office (under the cognizance of the DFAS Chief Information Officer) have\noverall daily responsibility for application, operation, interpretation, and implementation\nof DCPS. In addition, those offices are responsible for coordinating with external users\nand new customers. The Civilian Pay Services Product Line and the System\nManagement Office (SMO) are responsible for requirements management, functional\nanalysis, information assurance, and user documentation processes. TSOPE provides\nDCPS software engineering, production support, and customer service. Within TSOPE,\nseveral groups provide DCPS support. The Software Engineering Division provides\n\n1The NSA payroll office is not included in the scope of this \xe2\x80\x9cDescription of DCPS Operations and Controls\nProvided by DFAS and DISA.\xe2\x80\x9d\n\n                                                   13\n\x0ctechnical design, programming, unit testing, and system documentation. The Software\nTest and Evaluation Division perform integration testing and evaluation processes. The\nProject Support Division provides system software, telecommunication, computer\nresource tools, and database support. The DCPS Software Quality Assurance Office\nmonitors the software engineering process and provides recommendations for\nimprovement. The Systems Support Division provides configuration management,\nrelease management, implementation status, and customer support. DCPS is maintained\nand executed on a DISA mainframe platform at DECC SMC Mechanicsburg,\nPennsylvania.\n\nDCPS Systems Architecture\n\nDCPS has a two-tiered architecture comprised of the following:\n\n       \xe2\x80\xa2   Mainframe hardware and software components - used as a repository for\n           collecting and accumulating data, and providing centralized, biweekly\n           processing of civilian pay and its attendant functions (for example, electronic\n           funds transfer or generating Leave and Earnings Statements).\n\n       \xe2\x80\xa2   Remote user/print spooler hardware and software - used to collect and/or\n           pre-process data at customer sites, provide connectivity to DCPS mainframe\n           components, and support printing of mainframe-generated outputs (for\n           example, reports and timesheets) at customer locations. The components are\n           largely customer-owned and operated, and include local area networks,\n           personal computers, and a diverse assortment of printers and software that\n           operates and connects the networks, computers, and printers. DFAS\n           maintains a limited number of mid-tier (minicomputer) systems at selected\n           DFAS sites to handle specialized printing requirements (for example,\n           paychecks). Other offloaded print services, such as bulk printing for DCPS\n           payroll offices and printing of Leave and Earnings Statements, are performed\n           on personal computers or workstations maintained by the Defense Automated\n           Printing Service at sites located in various U.S. and overseas geographical\n           regions.\n\nThe two tiers of the DCPS architecture are connected by DoD-maintained networks\ncomposed of Internet Protocol-based (for example, the Non-Classified Internet Protocol\nRouter Network) and Systems Network Architecture-based (leased line) services. Those\nnetworks connect DCPS to a wide variety of external, non-DCPS sites (mainframes, mid-\ntiers, and personal computers) that supply or exchange data with DCPS, mainly through\nelectronic file transfers, on a regular basis. Examples of external interface sites include\nthe Defense Civilian Personnel Data System, Federal Reserve Board, Thrift Savings Plan\n(TSP), Department of the Treasury, and non-DoD users such as the Departments of\nEnergy and Health and Human Services, EOP, and EPA.\n\nThe main technical components of DCPS include the following attributes.\n\n       \xe2\x80\xa2   DCPS is housed in a separate logical domain on an IBM Z900 mainframe\n           computer located at DECC SMC Mechanicsburg.\n\n       \xe2\x80\xa2   The IBM mainframe operating system software is Z/OS release 1.4.\n\n       \xe2\x80\xa2   DCPS is written in Common Business Oriented II language (COBOL).\n\n\n                                            14\n\x0c       \xe2\x80\xa2   First point of entry security protection mechanisms are provided by Access\n           Control Facility 2 (ACF2).\n\n       \xe2\x80\xa2   DECC SMC Mechanicsburg provides four web servers that service all\n           applications that support DCPS. Those servers accept the users\xe2\x80\x99 secure web\n           requests by supplying a menu screen with options for each application to the\n           DCPS logon screen, where individuals enter their ACF2 login user\n           identification and passwords.\n\n       \xe2\x80\xa2   Third-party software packages are used for DCPS process scheduling and\n           monitoring.\n\nThe payroll offices and associated Customer Service Representatives have access to\nDCPS through dedicated leased lines, various DoD networks, and through Secure Web\nAccess. Secure Web Access enables secure transaction processing across the\nNon-Classified Internet Protocol Router Network. DISA is in the process of transitioning\nSecure Web Access to the Mainframe Internet Access Portal, which is centrally managed\nby the Communications Control Center, Montgomery, Alabama. IBM\xe2\x80\x99s Host-on-\nDemand was used to establish the Secure Web Access infrastructure. DCPS users\ninteract directly with the DCPS application through \xe2\x80\x9c3270\xe2\x80\x9d emulation using Personal\nComputer/Advanced Technology keyboard mapping terminals or terminal simulation\nprograms for communication with DCPS. This permits application-defined formatted\nscreens to be displayed with protected static text and unprotected fields for data entry.\nThe payroll offices are structured in accordance with DFAS standard staffing policy and\nconduct business using standard operating and support procedures. They operate on a\n24-hour basis to provide payroll service to customers located in various time zones and\nare responsible for the full range of pay processing functions and services. As\ncircumstances dictate, the three payroll offices serve as operational back-up sites for each\nother when contingency procedures are executed by DFAS.\n\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003,\nidentifies specific control requirements DoD systems should achieve based on their\ndesignated Mission Assurance Category (MAC). The DCPS application Authority to\nOperate, dated July 29, 2005, is on file with the DFAS Chief Information Officer.\nAccording to the current DCPS System Security Authorization Agreement (SSAA), as of\nJune 30, 2005, the MAC level for the DCPS application is \xe2\x80\x9cMAC III\xe2\x80\x9d and its supporting\nenclave at DECC SMC Mechanicsburg is \xe2\x80\x9cMAC II.\xe2\x80\x9d\n\nDCPS Data Flow\n\nThe following figure depicts the flow of data to and from DCPS as of April 2005. DCPS\ncustomers and technicians input data, including master employee and time and attendance\nlogs. DCPS outputs data to multiple systems and entities, including financial reporting\nentities, the automated disbursing system, and data storage.\n\n\n\n\n                                            15\n\x0cOverview of System Interfaces\n\nDCPS is a combination of online and batch programs that support the requirements of a\nbiweekly payroll process for approximately 789,000 civilian employees in the Federal\ngovernment based on data feeds from numerous personnel, accounting, and time and\nattendance systems. Transactions to update employee data, adjust leave balances and\npayments, and report time and attendance may be input daily to spread the online\nworkload and to obtain labor data. However, the focal point of the system is the\nbiweekly process. Non-biweekly process functions occur monthly, quarterly, annually,\nor as required, and are in support of, or a result of, multiple biweekly pay cycles. DCPS\nsupports a standard personnel interface, decentralized time and attendance reporting, and\nthe Customer Service Representatives structure.\n\n\n\n\n                                           16\n\x0cDCPS accepts input from three primary areas: Customer Service Representatives,\ntimekeepers, and personnel offices. DCPS receives or creates data for approximately\n109 interface systems that, among other functions:\n\n       \xe2\x80\xa2   update personnel information,\n       \xe2\x80\xa2   upload time and attendance data,\n       \xe2\x80\xa2   download information for checks to be printed,\n       \xe2\x80\xa2   report accounting information to the Department of the Treasury,\n       \xe2\x80\xa2   reconcile enrollment information with health care providers, and\n       \xe2\x80\xa2   download general accounting information to DoD agencies.\n\nAutomatic electronic file transfer directly to and from the host mainframe computer is\npreferred for input and output file interfaces. Output files are automatically transmitted\nto sites and activities using common file transfer protocols, through communication lines\nof files written to magnetic tape at the host (per data in File Transfer Tables). Interface\npartners must provide File Transfer Table data to the TSOPE for table updates. For files\nnot automatically transferred, the activity receiving DCPS data is responsible for\naccessing the host computer to retrieve (\xe2\x80\x9cpull\xe2\x80\x9d) the output file(s) from the host. In\naddition, the activity creating payroll data is responsible for developing and sending a\nDCPS input file by secure means to the processing center supporting the payroll office.\nThe payroll activities and the submitting activities establish mutually agreeable schedules\nto ensure timely receipt of data necessary to support DCPS payroll processing. TSOPE is\nresponsible for executing and monitoring interface processing, as well as resolving\ninterface processing errors or problems.\n\nB. Control Environment\nDCPS Management Oversight\n\nThe DFAS Information and Technology Directorate is responsible for reviewing and\napproving DCPS security policy and its certification and accreditation plan, and granting\nDCPS authority to operate. TSOPE provides not only DCPS software engineering\nsupport, but also production support and customer service. DCPS is maintained and\nexecuted on a DISA mainframe platform at DECC SMC Mechanicsburg, Pennsylvania.\nDECC SMC Mechanicsburg is part of the Center for Computing Services within the\nGlobal Information Grid Combat Support Directorate, which is a Strategic Business Unit\nwithin DISA. DFAS and DISA have documented DCPS support services provided by\nDISA in a Service-Level agreement that is reviewed by both agencies on an annual basis.\nDFAS and DISA have documented policies and procedures describing their respective\nroles and responsibilities in supporting payroll functions. DISA and DFAS are Defense\nagencies that report to the Office of the Secretary of Defense.\n\nPersonnel Policies and Procedures\n\nDFAS Payroll Offices and TSOPE\n\nPayroll office employees and contractors are required to review applicable administrative\norders, policies, and procedures with the Human Resource Office and must complete\nappropriate forms to gain access to DFAS systems. New employees must meet with the\nInformation Security Manager prior to gaining access to DCPS. The Information\n\n                                            17\n\x0cSecurity Manager is responsible for: (1) providing basic system security awareness\ntraining, (2) securing civilians\xe2\x80\x99 and contractors\xe2\x80\x99 signatures on an Automated Data\nProcessing Security Awareness disclosure form, (3) identifying who an employees\xe2\x80\x99\nTerminal Area Security Officer is and what the Terminal Area Security Officer\xe2\x80\x99s\nresponsibilities are, and (4) notifying appropriate personnel when personnel actions\noccur. Those actions include providing access to or immediately terminating employee\nor contractor access to DFAS automated information system resources. The payroll\noffices and TSOPE facilities do not require any specific level of prior security clearance\nbefore a candidate can become an employee.\n\nDECC SMC Mechanicsburg\n\nThe security manager is responsible for processing and vetting new employees and\ncontractors who are given access to DECC SMC Mechanicsburg facilities. All\ncontractors and employees are required, at a minimum, to have a secret clearance and a\npositive National Agency Check. For employees, the security manager coordinates with\nthe personnel office and for contractors, the security manager coordinates with the\ncontracting officer. The contracting officer is responsible for confirming that all\ncontractors are assigned to a valid contract, and have been approved to work at DECC\nSMC Mechanicsburg.\n\nAll new employees are required to sign DISA Form 312, \xe2\x80\x9cClassified Information\nNondisclosure Agreement,\xe2\x80\x9d which serves as a nondisclosure agreement for sensitive and\nclassified information. When employees are terminated, DISA requires them to sign the\nsame Form 312 to confirm their understanding of the requirements placed upon them.\nNew employees and contractors are required to complete a SAAR form to gain access to\nDISA systems. The security manager is responsible for vetting those forms and\nconfirming that the person requesting access has the proper clearance for the level of\naccess requested. For contractors, the security manager confirms the length of the\ncontract and determines when system accounts should expire. All new employees and\ncontractors must complete security awareness training.\n\nC. Monitoring\nManagement and supervisory personnel at DFAS and DISA monitor the performance\nquality and internal control environment as a normal part of their activities. DFAS and\nDISA have implemented a number of management, financial, and operational reports that\nhelp monitor the performance of payroll processing, as well as the DCPS system. Those\nreports are reviewed each pay period and action is taken as necessary. All procedural\nproblems and exceptions to normal and scheduled processing are logged, reported, and\nresolved in a timely manner. DCPS technicians perform remedial action, such as\nadditions, deletions, or changes to customer data, as necessary. In addition, several\norganizations within DoD perform monitoring activities associated with DCPS-related\ninternal controls.\n\nDISA OIG\n\nThe DISA OIG is an independent office within DISA that conducts internal audits,\ninspections, and investigations. DISA-related components that support DCPS are part of\nthe DISA OIG audit universe and are subject to audits, inspections, and investigations\nconducted by this office.\n\n\n                                            18\n\x0cFSO\n\nThe FSO conducts periodic System Readiness Reviews of DISA systems to determine\nwhether those systems are in compliance with documented Standard Technical\nImplementation Guides (STIGs). The DCPS system components maintained by DISA\nare subject to FSO reviews. The FSO is independent of the DECC SMC Mechanicsburg\nmanagement and does not maintain or configure DCPS.\n\nDoD OIG\n\nCongress established the DoD OIG under the Inspector General Act of 1978 to conduct\nand supervise audits and investigations related to DoD programs and operations. The\nDoD OIG reports directly to the Secretary of Defense and is independent of DFAS and\nDISA. DCPS is part of the DoD OIG audit universe and is subject to financial,\noperational, and information technology audits, reviews, and special assessment projects.\n\nCertification and Accreditation\n\nDoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, establishes a\nstandard Department-wide process, set of activities, general tasks, and management\nstructure to certify and accredit information systems that will maintain the information\nassurance and security posture of the defense information infrastructure throughout the\nlife cycle of each system. The certification process is a comprehensive evaluation of the\ntechnical and nontechnical security features of an information system and other\nsafeguards to establish the extent to which a particular design and implementation meets\nspecified security requirements and covers physical, personnel, administrative,\ninformation, information systems, and communications security. The accreditation\nprocess is a formal declaration by the designated approving authority that an information\nsystem is approved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk.\n\nDCPS is subject to the requirements of DITSCAP and must meet all DITSCAP\ncertification and accreditation requirements throughout its lifecycle. As part of the DCPS\nDITSCAP process, DFAS and DISA have developed separate SSAAs for the DCPS\napplication and for the system enclave within DISA that supports the application. Each\nSSAA is a living document that represents an agreement between the designated\napproving authority, certifying authority, user representative, and program manager.\nAmong other items, the DCPS SSAA documents DCPS\xe2\x80\x99 mission description and system\nidentification, environment description, system architecture description, system class,\nsystem security requirements, organizations and resources, and DITSCAP plan. On a\nperiodic basis, the system security officer must verify and validate DCPS\xe2\x80\x99 compliance\nwith the information in the SSAA by conducting vulnerability evaluations, security\ntesting and evaluation, penetration testing, and risk management reviews. The DCPS\napplication SSAA was signed on July 15, 2005, and is valid for three years. The DECC\nSMC Mechanicsburg enclave SSAA was signed on October 26, 2005, and is valid for\nthree years. The DCPS application Authority to Operate, July 29, 2005, is on file with\nthe CDB3 Information Assurance Manager. The DCPS Authority to Operate will be\nincluded in the annual SMC Mechanicsburg Unclassified Enclave SSAA package update\nthat is submitted to the DISA Designated Approval Authority.\n\n\n\n\n                                           19\n\x0cD. Risk Assessment\nThe DITSCAP process, discussed in subsection C above, includes several activities that\nenable DFAS and DISA to assess risks associated with DCPS. The DCPS application\nand enclave SSAAs document threats to DCPS and its supporting technical environment.\nThe SSAAs also contain residual risk assessments that document vulnerabilities noted\nduring DCPS tests and analyses. The information contained in the SSAAs is updated on\na yearly basis. Personnel from DFAS TSOPE and DECC SMC Mechanicsburg\nparticipate in risk assessment activities.\n\nE. Information and Communication\nDCPS is the information system used to process civilian payroll for DoD and payroll\ncustomers from other Federal entities including the Departments of Energy and Health\nand Human Services, EOP, and EPA. Payroll processing includes data from\napproximately 109 interface systems. Those interfaces are linked to other DoD financial\nsystems, as well as external systems. The majority of the interfaces is automated and\nmust conform to documented interface specifications developed by the TSOPE. The\nTSOPE is responsible for executing and monitoring all DCPS automated interfaces.\n\nThe support relationship between DFAS and DECC SMC Mechanicsburg is documented\nthrough a Service-Level agreement that includes various DFAS and DECC SMC\nMechanicsburg points of contact and liaisons that should be used when DCPS issues\narise. DECC SMC Mechanicsburg has assigned a customer relationship manager to work\nwith TSOPE to resolve any DCPS processing problems or concerns.\n\nDirectors and managers from TSOPE and the payroll offices meet weekly to discuss\nDCPS processing issues. The Configuration Control Board (CCB), comprised of TSOPE\nand payroll office personnel, review and approve functional and systemic changes to\nDCPS. The payroll offices have help desk functions to identify and track DCPS user\nissues and problems and communicate those issues and problems to TSOPE for\nresolution.\n\nF. Control Activities\nThe DCPS control objectives and related control activities are included in Section III of\nthis report, \xe2\x80\x9cInformation Provided by the Service Auditor,\xe2\x80\x9d to eliminate the redundancy\nthat would result from listing them in this section and repeating them in Section III.\nAlthough the control objectives and related controls are included in Section III, they are\nnevertheless an integral part of the description of controls.\n\nG. User Organization Control Considerations\nDFAS and DISA control activities related to DCPS were designed with the assumption\nthat certain controls would be placed in operation at user organizations. This section\ndescribes some of the controls that should be in operation at user organizations to\ncomplement the controls at DFAS and DISA.\n\n\n\n\n                                            20\n\x0cUser organizations should have policies and procedures in place to ensure the following\nevents occur.\n\n       \xe2\x80\xa2   The Information Systems Security Officer located at the payroll offices is\n           notified of all terminated employees with access to DCPS.\n\n       \xe2\x80\xa2   The local Human Resource Office is notified of all terminated employees to\n           ensure that those employees are removed from the Master Employee Record\n           in a timely manner.\n\n       \xe2\x80\xa2   All time entered by timekeepers is approved and authorized by appropriate\n           user organization management.\n\n       \xe2\x80\xa2   All Master Employee Records created represent valid employees.\n\n       \xe2\x80\xa2   All changes to the Master Employee Record are approved by appropriate user\n           organization personnel prior to payroll processing.\n\n       \xe2\x80\xa2   Segregation of duties exists between those at the user organization who enter\n           time and those who enter or change Master Employee Records.\n\n       \xe2\x80\xa2   All pseudo Social Security Numbers (if created) have been authorized by\n           appropriate user organization personnel and, if necessary, are accurately tied\n           to a primary and valid Social Security Number.\n\n       \xe2\x80\xa2   User organization managers review the \xe2\x80\x9cControl of Hours\xe2\x80\x9d and other\n           payroll-related reports for appropriateness and accuracy.\n\n       \xe2\x80\xa2   All invalid time entry interface feeds are reviewed and processed by\n           appropriate user organization personnel in a controlled manner.\n\n       \xe2\x80\xa2   All invalid personnel record interface feeds are resolved in the interface\n           system by user organization personnel with appropriate approval by user\n           organization management.\n\n\n\n\n                                            21\n\x0c\x0cSection III: Control Objectives, Control Activities, and Tests\n                 of Operating Effectiveness\n\n\n\n\n                              23\n\x0c\x0cA. Scope Limitations\nThe control objectives documented in this section were specified by the DoD OIG. As\ndescribed in the prior section (Section II), DCPS interfaces with many systems. The\ncontrols described and tested within this section of the report are limited to those\ncomputer systems, operations, and processes directly related to DCPS itself. We did not\nperform any procedures to evaluate the integrity and accuracy of the data contained in\nDCPS. The controls related to the source and destination systems associated with the\nDCPS interfaces are specifically excluded from this review. In addition, we did not\nperform procedures to evaluate the effectiveness of input, processing, and output controls\nwithin those interface systems.\n\n\n\n\n                                           25\n\x0cB. Control Objectives, Control Activities, and Tests of Operating Effectiveness\n\nApplication Control Objectives, Control Activities, Tests Performed, and Results of Testing\n\n\nNo.       Control Objective               Control Activities                        Tests Performed                           Results of Testing\n\n\n1         Controls provide reasonable     Policies and procedures are               Read policies and procedures and          No relevant exceptions noted.\n          assurance that only valid and   documented to describe how only           inquired with appropriate personnel to\n          accurate changes are made to    valid and accurate changes are made       confirm that only valid changes are\n          the payroll master files and    to the payroll master files and payroll   made to the payroll master files and\n          payroll withholding tables.     withholding tables.                       payroll withholding tables.\n\n                                          Payroll master file and withholding       Inquired with appropriate personnel       No relevant exceptions noted.\n                                          data tables are periodically reviewed     and inspected online queries (OLQs)\n                                          by supervisory personnel for accuracy     and summary reports to confirm that\n                                          and ongoing pertinence.                   master files and withholding tables\n                                                                                    were periodically reviewed by\n                                                                                    supervisory personnel for accuracy\n                                                                                    and ongoing pertinence.\n\n                                          Programmed validation and edit            Inquired with appropriate personnel       No relevant exceptions noted.\n                                          checks identify erroneous data.           and observed programmed validation\n                                                                                    and edit checks to confirm they\n                                                                                    existed.\n\n                                          The ability to view, modify, or           Inquired with appropriate personnel       DFAS Denver\n                                          transfer information contained in the     and inspected a random sample of\n                                          payroll master files is restricted to     45 access forms to confirm that the       Payroll Office Users\n                                          authorized personnel.                     master file is restricted to authorized   Of the 12 SAAR forms selected for\n                                                                                    personnel.                                review, 1 form could not be located.\n                                                                                                                              Non-Payroll Office Users\n                                                                                                                              Of the 15 SAAR forms inspected, 1\n                                                                                                                              form did not include the completion\n                                                                                                                              date of the initial computer-based\n                                                                                                                              security training. In addition, 1 of\n                                                                                                                              the 15 SAAR forms inspected did\n                                                                                                                              not include a supervisor\xe2\x80\x99s signature.\n\n\n\n                                                                           26\n\x0cNo.   Control Objective   Control Activities        Tests Performed   Results of Testing\n\n                                                                      The ZPA database included\n                                                                      42 users with supervisory-level\n                                                                      access.\n                                                                      DFAS Pensacola\n                                                                      Payroll Office Users\n                                                                      Of the nine SAAR forms selected\n                                                                      for review, one form could not be\n                                                                      located. Of the eight SAAR forms\n                                                                      inspected, two forms did not\n                                                                      include the completion date of the\n                                                                      initial computer-based security\n                                                                      training.\n                                                                      Non-Payroll Office Users\n                                                                      Of the 26 SAAR forms selected for\n                                                                      review, 4 forms could not be\n                                                                      located. Of the 22 SAAR forms\n                                                                      inspected, 3 forms did not include\n                                                                      the completion date of the initial\n                                                                      computer-based security training.\n                                                                      In addition, 2 of the 22 SAAR\n                                                                      forms inspected did not include the\n                                                                      supervisor\xe2\x80\x99s signature.\n                                                                      DFAS Charleston\n                                                                      Payroll Office Users\n                                                                      Of the 24 SAAR forms selected for\n                                                                      review, 1 form could not be located.\n                                                                      Of the 23 SAAR forms inspected, 1\n                                                                      form did not match the level of\n                                                                      authorized access actually granted.\n                                                                      The Charleston payroll office had\n                                                                      133 DCPS users with access to\n                                                                      update time and attendance and\n                                                                      Master Employee data.\n                                                                      Non-Payroll Office Users\n                                                                      No relevant exceptions noted.\n\n\n                                               27\n\x0cNo.   Control Objective               Control Activities                       Tests Performed                           Results of Testing\n\n\n                                      Changes to the payroll withholding       Inquired with appropriate personnel       No relevant exceptions noted.\n                                      tables and master files are compared     and observed the process for making\n                                      to authorized source documents by        tax changes to the payroll withholding\n                                      supervisory personnel to ensure that     tables and master files after being\n                                      they were input accurately.              compared to authorized source\n                                                                               documents by supervisory personnel\n                                                                               to ensure that they were tested and\n                                                                               approved.\n                                                                               Inquired with appropriate personnel\n                                                                               and observed the imaging process to\n                                                                               confirm that inputs are compared to\n                                                                               authorized Imaging documents to\n                                                                               ensure that they were input accurately.\n\n2     Controls provide reasonable     Policies and procedures are              Inquired with appropriate personnel       No relevant exceptions noted.\n      assurance that changes to the   documented to describe how changes       and read policies and procedures to\n      payroll master files and        to the payroll master files and          confirm that changes to the payroll\n      withholding tables are          withholding tables are authorized,       master files and withholding tables are\n      authorized, input, and          input, and processed timely.             authorized, input, and processed\n      processed timely.                                                        timely.\n\n                                      Changes to the payroll master file and   Inquired with appropriate personnel       No relevant exceptions noted.\n                                      withholding table data are logged in     and inspected OLQs and summary\n                                      numerous reports including the Master    reports to confirm that changes to the\n                                      Employee Add/Change/Delete Report        payroll master file and table data are\n                                      and reviewed by supervisory              logged and reviewed by supervisory\n                                      personnel to ensure that all requested   personnel.\n                                      changes are processed timely.\n\n                                      Requests to change the payroll master    Inquired with appropriate personnel       DFAS Denver\n                                      file data and withholding table are      and inspected a random sample of\n                                      submitted on pre-numbered Remedy         45 Remedy tickets to confirm that:        Of the 45 Remedy tickets inspected,\n                                      tickets; the numerical sequence of the                                             2 tickets were not completed within\n                                      Remedy tickets is accounted for to       1) tickets are pre-numbered,              the required 3-10 day time frame.\n                                      ensure that the requested changes are    2) the sequence is accounted for so       DFAS Pensacola\n                                      processed timely. Access to source       that the forms are accounted for\n                                      documents is controlled; key source      timely,                                   Of the 45 Remedy tickets inspected,\n                                      documents require signatures from                                                  3 tickets were not completed within\n                                      supervisory personnel.                   3) access to the source documents is      the required 3-10 day time frame.\n                                                                               controlled,\n\n\n                                                                     28\n\x0cNo.   Control Objective   Control Activities                        Tests Performed                          Results of Testing\n\n                                                                    4) key source documents require          DFAS-Charleston\n                                                                    signatures from supervisory\n                                                                    personnel, and                           Of the 45 Remedy tickets inspected,\n                                                                                                             6 tickets were not completed within\n                                                                    5) tickets are completed within the      the required 3-10 day time frame.\n                                                                    required time frame.\n                                                                                                             All Payroll Offices\n                                                                                                             Remedy tickets were not\n                                                                                                             sequentially numbered. Remedy\n                                                                                                             tickets used for testing purposes\n                                                                                                             were deleted. Documentation was\n                                                                                                             not maintained for these tickets.\n\n                          Payroll master file data and              Inquired with appropriate personnel      DFAS Denver\n                          withholding table data are edited and     and inspected a random sample of\n                          validated, and errors identified on the   45 Personnel Interface Invalid Reports   OMA Pay Database\n                          Personnel Interface Invalid Report are    for erroneous transactions to confirm    Of the 45 Personnel Interface\n                          corrected promptly.                       that items are investigated and          Invalid Reports inspected, 3 reports\n                                                                    resolved timely.                         did not include a date indicating\n                                                                    Selected a random sample of              when actions to correct the errors\n                                                                    45 Personnel Interface Invalid Reports   had been completed. In addition,\n                                                                    for the OMA pay database. In             35 of the 45 Personnel Interface\n                                                                    addition, the ZPA pay database only      Invalid Reports inspected did not\n                                                                    processed data for two pay periods,      include annotations indicating how\n                                                                    therefore, we reviewed all               the errors were corrected.\n                                                                    16 Personnel Interface Invalid Reports   ZPA Pay Database\n                                                                    during that period at DFAS Denver.\n                                                                    As a result, 61 Personnel Interface      Of the 16 Personnel Interface\n                                                                    Invalid Reports were selected for        Invalid Reports inspected, 1 report\n                                                                    review at DFAS Denver.                   did not include annotations\n                                                                                                             indicating how the errors were\n                                                                    Selected a random sample of              corrected.\n                                                                    45 Personnel Interface Invalid Reports\n                                                                    beginning on February 14, 2006, at\n                                                                    DFAS Charleston.                         DFAS Pensacola\n                                                                                                             Of the 45 Personnel Interface\n                                                                                                             Invalid Reports selected for review,\n                                                                                                             1 report could not be located. Of\n                                                                                                             the 44 Personnel Interface Invalid\n                                                                                                             Reports inspected, 25 reports were\n                                                                                                             annotated; however, sufficient\n\n                                                          29\n\x0cNo.   Control Objective   Control Activities                      Tests Performed                           Results of Testing\n\n                                                                                                            detail did not exist to determine\n                                                                                                            whether all errors within the report\n                                                                                                            were resolved.\n                                                                                                            In addition, 19 of the 44 Personnel\n                                                                                                            Interface Invalid Reports inspected\n                                                                                                            were annotated in Microsoft Word,\n                                                                                                            but did not include the annotator\xe2\x80\x99s\n                                                                                                            signature or date of annotation.\n                                                                                                            DFAS Charleston\n                                                                                                            Personnel Interface Invalid Reports\n                                                                                                            were neither annotated, nor\n                                                                                                            available for review July 1, 2005,\n                                                                                                            through February 13, 2006.\n                                                                                                            Of the 45 Personnel Interface\n                                                                                                            Invalid Reports selected for review,\n                                                                                                            3 reports could not be provided.\n                                                                                                            None of the 42 Personnel Interface\n                                                                                                            Invalid Reports inspected included\n                                                                                                            a signature, date, and annotations\n                                                                                                            indicating how the errors were\n                                                                                                            corrected.\n\n                          The ability to view, modify, or         Inquired with appropriate personnel       DFAS Denver\n                          transfer information contained in the   and inspected a random sample of\n                          payroll master files is restricted to   45 access forms to confirm that the       Payroll Office Users\n                          authorized personnel.                   master file is restricted to authorized   Of the 12 SAAR forms selected for\n                                                                  personnel.                                review, 1 form could not be located.\n                                                                                                            Non-Payroll Office Users\n                                                                                                            Of the 15 SAAR forms inspected, 1\n                                                                                                            form did not include the completion\n                                                                                                            date of the initial computer-based\n                                                                                                            security training. In addition, 1 of\n                                                                                                            the 15 SAAR forms inspected did\n                                                                                                            not include a supervisor\xe2\x80\x99s signature.\n                                                                                                            The ZPA database included\n                                                                                                            42 users with supervisory-level\n                                                                                                            access.\n\n\n                                                          30\n\x0cNo.   Control Objective   Control Activities        Tests Performed   Results of Testing\n\n                                                                      DFAS Pensacola\n                                                                      Payroll Office Users\n                                                                      Of the nine SAAR forms selected\n                                                                      for review, one form could not be\n                                                                      located. Of the eight SAAR forms\n                                                                      inspected, two forms did not\n                                                                      include the completion date of the\n                                                                      initial computer-based security\n                                                                      training.\n                                                                      Non-Payroll Office Users\n                                                                      Of the 26 SAAR forms selected for\n                                                                      review, 4 forms could not be\n                                                                      located. Of the 22 SAAR forms\n                                                                      inspected, 3 forms did not include\n                                                                      the completion date of the initial\n                                                                      computer-based security training.\n                                                                      In addition, 2 of the 22 SAAR\n                                                                      forms inspected did not include the\n                                                                      supervisor\xe2\x80\x99s signature.\n                                                                      DFAS Charleston\n                                                                      Payroll Office Users\n                                                                      Of the 24 SAAR forms selected for\n                                                                      review, 1 form could not be located.\n                                                                      Of the 23 SAAR forms inspected, 1\n                                                                      form did not match the level of\n                                                                      authorized access actually granted.\n                                                                      The Charleston payroll office had\n                                                                      133 DCPS users with access to\n                                                                      update time and attendance and\n                                                                      Master Employee data.\n                                                                      Non-Payroll Office Users\n                                                                      No relevant exceptions noted.\n\n\n\n\n                                               31\n\x0cNo.   Control Objective                Control Activities                        Tests Performed                           Results of Testing\n\n\n3     Controls provide reasonable      Policies and procedures are               Inquired with appropriate personnel       No relevant exceptions noted.\n      assurance that payroll           documented to describe how payroll        and read policies and procedures to\n      processing is accurate and       processing is accurate and recorded in    confirm that payroll processing is\n      recorded in the proper period.   the proper period.                        accurate and recorded in the\n                                                                                 appropriate period.\n\n                                       Compliance with the payroll               Inquired with appropriate personnel       No relevant exceptions noted.\n                                       disbursement processing schedule is       and inspected pay processing\n                                       monitored by management.                  schedules and observed payroll\n                                                                                 disbursement process to confirm the\n                                                                                 monitoring of payroll disbursement\n                                                                                 processing schedule by management.\n\n                                       The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inquired with appropriate personnel       DFAS Pensacola\n                                       reconciliation shows that all pertinent   and examined a sample of 26 \xe2\x80\x9c592\xe2\x80\x9d\n                                       data describing the payroll (including    reconciliations for each database to      Of the 26 \xe2\x80\x9c592\xe2\x80\x9d reconciliation\n                                       total disbursements, retirement, TSP,     confirm the following conditions          reports inspected, 1 report did not\n                                       bonds, and other withholdings) and        exist.                                    include a preparer\xe2\x80\x99s signature and\n                                       the related balances are reconciled, in                                             date. In addition, the Withholdings\n                                       the appropriate accounting period, to     1) The detailed payroll reconciliation    for Benefits report did not have a\n                                       corresponding general ledger accounts     shows that all pertinent data             Certifying Officer's signature and\n                                       within DCPS. All reconciled items         describing the payroll (including total   date. However, DFAS Denver\n                                       are investigated and cleared on a         disbursements, retirement, TSP,           maintained a signed copy of the\n                                       timely basis by supervisors prior to      bonds, and other withholdings) and        \xe2\x80\x9c592\xe2\x80\x9d reconciliation report that they\n                                       disbursement.                             the related balances are reconciled, in   processed during contingency\n                                                                                 the appropriate accounting period, to     operations on behalf of DFAS\n                                                                                 corresponding general ledger accounts     Pensacola.\n                                                                                 within DCPS.\n                                                                                                                           DFAS Denver\n                                                                                 2) Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation is\n                                                                                 approved by management prior to           No relevant exceptions noted.\n                                                                                 disbursement.                             DFAS Charleston\n                                                                                 3) Reconciled items are investigated      No relevant exceptions noted.\n                                                                                 and cleared on a timely basis by\n                                                                                 supervisors prior to disbursement.\n\n\n\n\n                                                                       32\n\x0cNo.   Control Objective               Control Activities                        Tests Performed                           Results of Testing\n\n\n                                      Summary payroll reports (including        Inquired with appropriate personnel       No relevant exceptions noted.\n                                      OLQs of total disbursements,              and inspected summary reports and\n                                      retirement, TSP, bonds, and other         OLQs to confirm they are reviewed\n                                      withholdings) are reviewed and            and approved by management prior to\n                                      approved by management prior to           disbursement.\n                                      disbursement.\n\n4     Controls provide reasonable     Policies and procedures are               Inquired with appropriate personnel       No relevant exceptions noted.\n      assurance that disbursed        documented to describe how                and read policies and procedures to\n      payroll (including              disbursed payroll (including              confirm that disbursed payroll is\n      compensation and withholding)   compensation and withholding) is          accurately calculated and recorded.\n      is accurately calculated and    calculated and recorded.\n      recorded.\n                                      The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inquired with appropriate personnel       DFAS Pensacola\n                                      reconciliation shows all pertinent data   and examined a sample of 26 \xe2\x80\x9c592\xe2\x80\x9d\n                                      describing the payroll (including total   reconciliations for each database to      Of the 26 \xe2\x80\x9c592\xe2\x80\x9d reconciliation\n                                      disbursements, retirement, TSP,           confirm that the following conditions     reports inspected, 1 report did not\n                                      bonds, and other withholdings) and        exist.                                    include a preparer\xe2\x80\x99s signature and\n                                      the related balances are reconciled, in                                             date. In addition, the Withholdings\n                                      the appropriate accounting period, to     1) The detailed payroll reconciliation    for Benefits report did not have a\n                                      corresponding general ledger accounts     shows that all pertinent data             Certifying Officer's signature and\n                                      within DCPS. All reconciled items         describing the payroll (including total   date. However, DFAS Denver\n                                      are investigated and cleared on a         disbursements, retirement, TSP,           maintained a signed copy of the\n                                      timely basis by supervisory personnel     bonds, and other withholdings) and        \xe2\x80\x9c592\xe2\x80\x9d reconciliation report that they\n                                      prior to disbursement.                    the related balances are reconciled, in   processed during contingency\n                                                                                the appropriate accounting period, to     operations on behalf of DFAS\n                                                                                corresponding general ledger accounts     Pensacola.\n                                                                                within DCPS.\n                                                                                                                          DFAS Denver\n                                                                                2) Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation is\n                                                                                approved by management prior to           No relevant exceptions noted.\n                                                                                disbursement.                             DFAS Charleston\n                                                                                3) Reconciled items are investigated      No relevant exceptions noted.\n                                                                                and cleared on a timely basis by\n                                                                                supervisory personnel prior to\n                                                                                disbursement.\n\n\n\n\n                                                                      33\n\x0cNo.   Control Objective                  Control Activities                     Tests Performed                          Results of Testing\n\n\n                                         Summary payroll reports (including     Inquired with appropriate personnel      No relevant exceptions noted.\n                                         OLQs of total disbursements,           and inspected summary reports and\n                                         retirement, TSP, bonds, and other      OLQs to confirm they are reviewed\n                                         withholdings) are reviewed and         and approved by management prior to\n                                         approved by management prior to        disbursement.\n                                         disbursement.\n\n                                         DCPS performs limit and                Inquired with appropriate personnel      No relevant exceptions noted.\n                                         reasonableness checks on employee      and inspected the limit and\n                                         earnings.                              reasonableness report to confirm\n                                                                                reasonableness checks are performed\n                                                                                on employee earnings.\n\n                                         Programmed validation and edit         Observed the input of new employees      No relevant exceptions noted.\n                                         checks identify erroneous data.        into DCPS to confirm that\n                                                                                programmed validation and edit\n                                                                                checks identify erroneous data entered\n                                                                                directly into DCPS.\n\n5     Controls provide reasonable        Policies and procedures are            Inquired with appropriate personnel      No relevant exceptions noted.\n      assurance that only valid,         documented to describe how only        and read policies and procedures to\n      authorized employees are paid      valid, authorized employees are paid   confirm that only valid, authorized\n      and that payroll is disbursed to   and that payroll is disbursed to       employees are paid and that payroll is\n      appropriate employees.             appropriate employees.                 disbursed to appropriate employees.\n\n                                         OLQs and summary reports (including    Inquired with appropriate personnel      No relevant exceptions noted.\n                                         the Master Employee                    and inspected OLQs and summary\n                                         Add/Change/Delete Report) are          reports to confirm that master files\n                                         periodically reviewed by supervisory   and withholding tables are\n                                         personnel to determine if the master   periodically reviewed by supervisory\n                                         files remain accurate and pertinent.   personnel.\n\n\n\n\n                                                                        34\n\x0cNo.   Control Objective   Control Activities                        Tests Performed                           Results of Testing\n\n\n                          Departmental managers periodically        Inquired with appropriate personnel       No relevant exceptions noted.\n                          review listings (including the            and inspected the Personnel/Payroll\n                          Personnel/Payroll Reconciliation or       Reconciliation or Control of Hours\n                          Control of Hours Report) of current       Reports to confirm that they are sent\n                          employees within their departments        to management for review of\n                          and notify the personnel department of    employee listings and notification to\n                          necessary changes. All payroll            personnel department of changes.\n                          queries are followed up by persons\n                          independent of the payroll preparation\n                          and disbursement process.\n\n                          The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inquired with appropriate personnel       DFAS Pensacola\n                          reconciliation shows that all pertinent   and examined a sample of 26 \xe2\x80\x9c592\xe2\x80\x9d\n                          data describing the payroll (including    reconciliations for each database to      Of the 26 \xe2\x80\x9c592\xe2\x80\x9d reconciliation\n                          total disbursements, retirement, TSP,     confirm that the following conditions     reports inspected, 1 report did not\n                          bonds, and other withholdings) and        exist.                                    include a preparer\xe2\x80\x99s signature and\n                          the related balances are reconciled, in                                             date. In addition, the Withholdings\n                          the appropriate accounting period, to     1) The detailed payroll reconciliation    for Benefits report did not have a\n                          corresponding general ledger accounts     shows that all pertinent data             Certifying Officer's signature and\n                          within DCPS. All reconciled items         describing the payroll (including total   date. However, DFAS Denver\n                          are investigated and cleared on a         disbursements, retirement, TSP,           maintained a signed copy of the\n                          timely basis by supervisory personnel     bonds, and other withholdings) and        \xe2\x80\x9c592\xe2\x80\x9d reconciliation report that they\n                          prior to disbursement.                    the related balances are reconciled, in   processed during contingency\n                                                                    the appropriate accounting period, to     operations on behalf of DFAS\n                                                                    corresponding general ledger accounts     Pensacola.\n                                                                    within DCPS.\n                                                                                                              DFAS Denver\n                                                                    2) Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation is\n                                                                    approved by management prior to           No relevant exceptions noted.\n                                                                    disbursement.                             DFAS Charleston\n                                                                    3) Reconciled items are investigated      No relevant exceptions noted.\n                                                                    and cleared on a timely basis by\n                                                                    supervisory personnel prior to\n                                                                    disbursement.\n\n                          Summary payroll reports (including        Inquired with appropriate personnel       No relevant exceptions noted.\n                          OLQs of total disbursements,              and inspected summary reports and\n                          retirement, TSP, bonds, and other         OLQs to confirm that they are\n                          withholdings) are reviewed and            reviewed and approved by\n                          approved by management prior to           management prior to disbursement.\n                          disbursement.\n\n                                                          35\n\x0cNo.   Control Objective                Control Activities                        Tests Performed                           Results of Testing\n\n\n                                       Only authorized personnel have the        Inquired with the appropriate             No relevant exceptions noted.\n                                       ability to disburse payroll.              personnel, observed the disbursement\n                                                                                 of payroll, and inspected a random\n                                                                                 sample of DCPS user profiles for\n                                                                                 disbursement privileges to confirm\n                                                                                 that only authorized personnel have\n                                                                                 the ability to disburse payroll.\n\n6     Controls provide reasonable      Policies and procedures are               Inquired with appropriate personnel       No relevant exceptions noted.\n      assurance of the integrity and   documented to describe how                and read policies and procedures to\n      reliability of DCPS data for     management ensures that controls          confirm that controls provide\n      financial reporting purposes.    provide reasonable assurance of the       reasonable assurance of the integrity\n                                       integrity and reliability of DCPS data    and reliability of DCPS data for\n                                       for financial reporting purposes.         financial reporting purposes.\n\n                                       Payroll transactions at the end of a      Inquired with appropriate personnel       No relevant exceptions noted.\n                                       payroll cycle are reconciled by           and examined a sample of 26 \xe2\x80\x9c592\xe2\x80\x9d\n                                       supervisors to ensure complete and        payroll reconciliations at the end of a\n                                       consistent recording in the appropriate   payroll cycle to confirm they are\n                                       accounting period.                        reconciled to ensure complete and\n                                                                                 consistent recording in the appropriate\n                                                                                 accounting period.\n\n                                       Error reports (for example, the           Inquired with appropriate personnel       DFAS Denver\n                                       Personnel Interface Invalid Report),      and inspected error warnings and a\n                                       and error warnings show rejected          random sample of 45 Personnel             OMA Pay Database\n                                       transactions with error messages that     Interface Invalid Reports to confirm      Of the 45 Personnel Interface\n                                       have clearly understandable corrective    that they show rejected transactions      Invalid Reports inspected, 3 reports\n                                       actions for each type of error.           with error messages that have clearly     did not include a date indicating\n                                                                                 understandable corrective actions for     when actions to correct the errors\n                                                                                 each type of error.                       had been completed. In addition,\n                                                                                 Selected a random sample of               35 of the 45 Personnel Interface\n                                                                                 45 Personnel Interface Invalid Reports    Invalid Reports inspected did not\n                                                                                 for the OMA pay database. In              include annotations indicating how\n                                                                                 addition, the ZPA pay database only       the errors were corrected.\n                                                                                 processed data for two pay periods,\n                                                                                 therefore, we reviewed all\n                                                                                 16 Personnel Interface Invalid Reports\n                                                                                 during that period at DFAS Denver.\n                                                                                 As a result, 61 Personnel Interface\n\n                                                                       36\n\x0cNo.   Control Objective   Control Activities        Tests Performed                          Results of Testing\n\n                                                    Invalid Reports were selected for        ZPA Pay Database\n                                                    review at DFAS Denver.\n                                                                                             Of the 16 Personnel Interface\n                                                    Selected a random sample of              Invalid Reports inspected, 1 report\n                                                    45 Personnel Interface Invalid Reports   did not include annotations\n                                                    beginning on February 14, 2006, at       indicating how the errors were\n                                                    DFAS Charleston.                         corrected.\n                                                                                             DFAS Pensacola\n                                                                                             Of the 45 Personnel Interface\n                                                                                             Invalid Reports selected for review,\n                                                                                             1 report could not be located. Of\n                                                                                             the 44 Personnel Interface Invalid\n                                                                                             Reports inspected, 25 reports were\n                                                                                             annotated; however, sufficient\n                                                                                             detail did not exist to determine\n                                                                                             whether all errors within the report\n                                                                                             were resolved.\n                                                                                             In addition, 19 of the 44 Personnel\n                                                                                             Interface Invalid Reports inspected\n                                                                                             were annotated in Microsoft Word,\n                                                                                             but did not include the annotator\xe2\x80\x99s\n                                                                                             signature or date of annotation.\n                                                                                             DFAS Charleston\n                                                                                             Personnel Interface Invalid Reports\n                                                                                             were neither annotated, nor\n                                                                                             available for review July 1, 2005,\n                                                                                             through February 13, 2006.\n                                                                                             Of the 45 Personnel Interface\n                                                                                             Invalid Reports selected for review,\n                                                                                             3 reports could not be provided.\n                                                                                             None of the 42 Personnel Interface\n                                                                                             Invalid Reports inspected included\n                                                                                             a signature, date, and annotations\n                                                                                             indicating how the errors were\n                                                                                             corrected.\n\n\n\n\n                                               37\n\x0cNo.   Control Objective   Control Activities                         Tests Performed                             Results of Testing\n\n\n                          Rejected data are automatically            Inquired with the appropriate               DFAS Denver\n                          written to the Personnel Interface         personnel and inspected the Personnel\n                          Invalid Report and held until corrected    Interface Invalid Report of rejected        OMA Pay Database\n                          by payroll technicians, and each           data to confirm that the rejected data      Of the 45 Personnel Interface\n                          erroneous transaction is annotated         are automatically written on an             Invalid Reports inspected, 3 reports\n                          with codes indicating the type of data     automated error suspense file and held      did not include a date indicating\n                          error, the date and time the transaction   until corrected by payroll technicians,     when actions to correct the errors\n                          was processed and the error identified,    and each erroneous transaction is           had been completed. In addition,\n                          and the identity of the user who           annotated with codes indicating the         35 of the 45 Personnel Interface\n                          originated the transaction.                type of data error, the date and time       Invalid Reports inspected did not\n                                                                     the transaction was processed and the       include annotations indicating how\n                                                                     error identified, and the identity of the   the errors were corrected.\n                                                                     user who originated the transaction.\n                                                                                                                 ZPA Pay Database\n                                                                     Selected a random sample of\n                                                                     45 Personnel Interface Invalid Reports      Of the 16 Personnel Interface\n                                                                     for the OMA pay database. In                Invalid Reports inspected, 1 report\n                                                                     addition, the ZPA pay database only         did not include annotations\n                                                                     processed data for two pay periods,         indicating how the errors were\n                                                                     therefore, we reviewed all                  corrected.\n                                                                     16 Personnel Interface Invalid Reports      DFAS Pensacola\n                                                                     during that period at DFAS Denver.\n                                                                     As a result, 61 Personnel Interface         Of the 45 Personnel Interface\n                                                                     Invalid Reports were selected for           Invalid Reports selected for review,\n                                                                     review at DFAS Denver.                      1 report could not be located. Of\n                                                                                                                 the 44 Personnel Interface Invalid\n                                                                     Selected a random sample of                 Reports inspected, 25 reports were\n                                                                     45 Personnel Interface Invalid Reports      annotated; however, sufficient\n                                                                     beginning on February 14, 2006, at          detail did not exist to determine\n                                                                     DFAS Charleston.                            whether all errors within the report\n                                                                                                                 were resolved.\n                                                                                                                 In addition, 19 of the 44 Personnel\n                                                                                                                 Interface Invalid Reports inspected\n                                                                                                                 were annotated in Microsoft Word,\n                                                                                                                 but did not include the annotator\xe2\x80\x99s\n                                                                                                                 signature or date of annotation.\n\n\n\n\n                                                          38\n\x0cNo.   Control Objective                 Control Activities                        Tests Performed                           Results of Testing\n\n                                                                                                                            DFAS Charleston\n                                                                                                                            Personnel Interface Invalid Reports\n                                                                                                                            were neither annotated, nor\n                                                                                                                            available for review July 1, 2005,\n                                                                                                                            through February 13, 2006.\n                                                                                                                            Of the 45 Personnel Interface\n                                                                                                                            Invalid Reports selected for review,\n                                                                                                                            3 reports could not be provided.\n                                                                                                                            None of the 42 Personnel Interface\n                                                                                                                            Invalid Reports inspected included\n                                                                                                                            a signature, date, and annotations\n                                                                                                                            indicating how the errors were\n                                                                                                                            corrected.\n\n7     Controls provide reasonable       Policies and procedures are               Inquired with appropriate personnel       No relevant exceptions noted.\n      assurance that fiscal year-end,   documented to describe how fiscal         and read policies and procedures to\n      leave year-end, and calendar      year-end, leave year-end, and calendar    confirm that capabilities exist for\n      year-end processing occurs in     year-end processing occurs in             fiscal year-end, leave year-end, and\n      accordance with established       accordance with established               calendar year-end processing and\n      Government-wide and agency        Government-wide and agency                forfeitures in accordance with\n      guidelines.                       guidelines.                               established Government-wide and\n                                                                                  agency guidelines.\n\n                                        Payroll withholding table data are        Inspected payroll withholding table       No relevant exceptions noted.\n                                        periodically reviewed by supervisors      data updates to confirm they are\n                                        for compliance with statutory             periodically updated by supervisory\n                                        requirements.                             personnel for compliance with\n                                                                                  statutory requirements.\n\n\n\n                                        The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inquired with appropriate personnel       DFAS Pensacola\n                                        reconciliation shows that all pertinent   and examined a sample of 26 \xe2\x80\x9c592\xe2\x80\x9d\n                                        data describing the payroll (including    reconciliations for each database to      Of the 26 \xe2\x80\x9c592\xe2\x80\x9d reconciliation\n                                        total disbursements, retirement, TSP,     confirm the following conditions          reports inspected, 1 report did not\n                                        bonds, and other withholdings) and        exist.                                    include a preparer\xe2\x80\x99s signature and\n                                        the related balances are reconciled, in                                             date. In addition, the Withholdings\n                                        the appropriate accounting period, to     1) The detailed payroll reconciliation    for Benefits report did not have a\n                                        corresponding general ledger accounts     shows that only pertinent data            Certifying Officer's signature and\n                                        within DCPS. All reconciled items         describing the payroll (including total   date. However, DFAS Denver\n\n\n                                                                        39\n\x0cNo.   Control Objective   Control Activities                      Tests Performed                           Results of Testing\n\n                          are investigated and cleared on a       disbursements, retirement, TSP,           maintained a signed copy of the\n                          timely basis by supervisory personnel   bonds, and other withholdings) and        \xe2\x80\x9c592\xe2\x80\x9d reconciliation report that they\n                          prior to disbursement.                  the related balances are reconciled, in   processed during contingency\n                                                                  the appropriate accounting period, to     operations on behalf of DFAS\n                                                                  corresponding general ledger accounts     Pensacola.\n                                                                  within DCPS.\n                                                                                                            DFAS Denver\n                                                                  2) Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation is\n                                                                  approved by management prior to           No relevant exceptions noted.\n                                                                  disbursement.                             DFAS Charleston\n                                                                  3) Reconciled items are investigated      No relevant exceptions noted.\n                                                                  and cleared on a timely basis by\n                                                                  supervisory personnel prior to\n                                                                  disbursement.\n\n                          The data processing control group has   Inquired with appropriate personnel       No relevant exceptions noted.\n                          a schedule by application that shows    and inspected the schedules used by\n                          when outputs should be completed,       the data processing group to confirm\n                          when they need to be distributed, who   that they:\n                          the recipients are, and the copies\n                          needed; reviews output products for     1) have a schedule by application that\n                          general acceptability; and reconciles   shows when outputs need to be\n                          control information to determine        completed, when they need to be\n                          completeness of processing.             distributed, who the recipients are,\n                                                                  and the copies needed;\n                                                                  2) review output products for general\n                                                                  acceptability;\n                                                                  3) reconcile control information to\n                                                                  determine completeness of\n                                                                  processing.\n\n                          Users review the Personnel Interface    Inquired with appropriate personnel       DFAS Denver\n                          Invalid Reports for data accuracy,      and inspected a random sample of\n                          validity, and completeness.             45 Personnel Interface Invalid Reports    OMA Pay Database\n                                                                  that users review for output to confirm   Of the 45 Personnel Interface\n                                                                  that the reports are reviewed for data    Invalid Reports inspected, 3 reports\n                                                                  accuracy, validity, and completeness.     did not include a date indicating\n                                                                  Selected a random sample of               when actions to correct the errors\n                                                                  45 Personnel Interface Invalid Reports    had been completed. In addition,\n                                                                  for the OMA pay database. In              35 of the 45 Personnel Interface\n\n\n                                                         40\n\x0cNo.   Control Objective   Control Activities        Tests Performed                          Results of Testing\n\n                                                    addition, the ZPA pay database only      Invalid Reports inspected did not\n                                                    processed data for two pay periods,      include annotations indicating how\n                                                    therefore, we reviewed all               the errors were corrected.\n                                                    16 Personnel Interface Invalid Reports\n                                                    during that period at DFAS Denver.       ZPA Pay Database\n                                                    As a result, 61 Personnel Interface      Of the 16 Personnel Interface\n                                                    Invalid Reports were selected for        Invalid Reports inspected, 1 report\n                                                    review at DFAS Denver.                   did not include annotations\n                                                    Selected a random sample of              indicating how the errors were\n                                                    45 Personnel Interface Invalid Reports   corrected.\n                                                    beginning on February 14, 2006, at       DFAS Pensacola\n                                                    DFAS Charleston.\n                                                                                             Of the 45 Personnel Interface\n                                                                                             Invalid Reports selected for review,\n                                                                                             1 report could not be located. Of\n                                                                                             the 44 Personnel Interface Invalid\n                                                                                             Reports inspected, 25 reports were\n                                                                                             annotated; however, sufficient\n                                                                                             detail did not exist to determine\n                                                                                             whether all errors within the report\n                                                                                             were resolved.\n                                                                                             In addition, 19 of the 44 Personnel\n                                                                                             Interface Invalid Reports inspected\n                                                                                             were annotated in Microsoft Word,\n                                                                                             but did not include the annotator\xe2\x80\x99s\n                                                                                             signature or date of annotation.\n                                                                                             DFAS Charleston\n                                                                                             Personnel Interface Invalid Reports\n                                                                                             were neither annotated, nor\n                                                                                             available for review July 1, 2005,\n                                                                                             through February 13, 2006.\n                                                                                             Of the 45 Personnel Interface\n                                                                                             Invalid Reports selected for review,\n                                                                                             3 reports could not be provided.\n                                                                                             None of the 42 Personnel Interface\n                                                                                             Invalid Reports inspected included\n                                                                                             a signature, date, and annotations\n                                                                                             indicating how the errors were\n                                                                                             corrected.\n\n\n                                               41\n\x0cNo.   Control Objective                   Control Activities                        Tests Performed                            Results of Testing\n\n\n8     Controls provide reasonable         Policies and procedures are               Inquired with appropriate personnel        No relevant exceptions noted.\n      assurance that current- or prior-   documented to describe how current-       and read policies and procedures to\n      period adjustments to               or prior-period adjustments to            confirm that current- or prior-period\n      employee's pay, including           employee's pay, including employee        adjustments to employee's pay,\n      employee debt, tax deduction,       debt, tax deductions, or deductions not   including employee debt, tax\n      or deductions not taken, are        taken, are reported, reconciled, and      deductions, or deductions not taken,\n      reported, reconciled, and           approved.                                 are reported, reconciled, and\n      approved.                                                                     approved.\n\n                                          The detailed \xe2\x80\x9c592\xe2\x80\x9d payroll                Inquired with appropriate personnel        DFAS Pensacola\n                                          reconciliation shows that all pertinent   and examined a sample of 26 \xe2\x80\x9c592\xe2\x80\x9d\n                                          data describing the payroll (including    reconciliations for each database to       Of the 26 \xe2\x80\x9c592\xe2\x80\x9d reconciliation\n                                          total disbursements, retirement, TSP,     confirm that the following conditions      reports inspected, 1 report did not\n                                          bonds, and other withholdings) and        exist.                                     include a preparer\xe2\x80\x99s signature and\n                                          the related balances are reconciled, in                                              date. In addition, the Withholdings\n                                          the appropriate accounting period, to     1) The detailed payroll reconciliation     for Benefits report did not have a\n                                          corresponding general ledger accounts     shows that all pertinent data              Certifying Officer's signature and\n                                          within DCPS. All reconciled items         describing the payroll (including total    date. However, DFAS Denver\n                                          are investigated and cleared on a         disbursements, retirement, TSP,            maintained a signed copy of the\n                                          timely basis by supervisory personnel     bonds, and other withholdings) and         \xe2\x80\x9c592\xe2\x80\x9d reconciliation report that they\n                                          prior to disbursement.                    the related balances are reconciled, in    processed during contingency\n                                                                                    the appropriate accounting period, to      operations on behalf of DFAS\n                                                                                    corresponding general ledger accounts      Pensacola.\n                                                                                    within DCPS.\n                                                                                                                               DFAS Denver\n                                                                                    2) Each \xe2\x80\x9c592\xe2\x80\x9d reconciliation is\n                                                                                    approved by management prior to            No relevant exceptions noted.\n                                                                                    disbursement.                              DFAS Charleston\n                                                                                    3) Reconciled items are investigated       No relevant exceptions noted.\n                                                                                    and cleared on a timely basis by\n                                                                                    supervisory personnel prior to\n                                                                                    disbursement.\n\n                                          OLQs and summary reports (including       Inquired with appropriate personnel        No relevant exceptions noted.\n                                          the Master Employee                       and inspected OLQs and summary\n                                          Add/Change/Delete Report) are             reports to confirm that master files are\n                                          periodically reviewed by supervisory      periodically reviewed by supervisory\n                                          personnel to determine if the master      personnel.\n                                          files remain accurate and pertinent.\n\n\n\n                                                                          42\n\x0cNo.   Control Objective   Control Activities                      Tests Performed                           Results of Testing\n\n\n                          The ability to view, modify, or         Inquired with appropriate personnel       DFAS Denver\n                          transfer information contained in the   and inspected a random sample of\n                          payroll master files is restricted to   45 access forms to confirm that the       Payroll Office Users\n                          authorized personnel.                   master file is restricted to authorized   Of the 12 SAAR forms selected for\n                                                                  personnel.                                review, 1 form could not be located.\n                                                                                                            Non-Payroll Office Users\n                                                                                                            Of the 15 SAAR forms inspected, 1\n                                                                                                            form did not include the completion\n                                                                                                            date of the initial computer-based\n                                                                                                            security training. In addition, 1 of\n                                                                                                            the 15 SAAR forms inspected did\n                                                                                                            not include a supervisor\xe2\x80\x99s signature.\n                                                                                                            The ZPA database included\n                                                                                                            42 users with supervisory-level\n                                                                                                            access.\n                                                                                                            DFAS Pensacola\n                                                                                                            Payroll Office Users\n                                                                                                            Of the nine SAAR forms selected\n                                                                                                            for review, one form could not be\n                                                                                                            located. Of the eight SAAR forms\n                                                                                                            inspected, two forms did not\n                                                                                                            include the completion date of the\n                                                                                                            initial computer-based security\n                                                                                                            training.\n                                                                                                            Non-Payroll Office Users\n                                                                                                            Of the 26 SAAR forms selected for\n                                                                                                            review, 4 forms could not be\n                                                                                                            located. Of the 22 SAAR forms\n                                                                                                            inspected, 3 forms did not include\n                                                                                                            the completion date of the initial\n                                                                                                            computer-based security training.\n                                                                                                            In addition, 2 of the 22 SAAR\n                                                                                                            forms inspected did not include the\n                                                                                                            supervisor\xe2\x80\x99s signature.\n\n\n\n\n                                                          43\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                        Results of Testing\n\n                                                                                                          DFAS Charleston\n                                                                                                          Payroll Office Users\n                                                                                                          Of the 24 SAAR forms selected for\n                                                                                                          review, 1 form could not be located.\n                                                                                                          Of the 23 SAAR forms inspected, 1\n                                                                                                          form did not match the level of\n                                                                                                          authorized access actually granted.\n                                                                                                          The Charleston payroll office had\n                                                                                                          133 DCPS users with access to\n                                                                                                          update time and attendance and\n                                                                                                          Master Employee data.\n                                                                                                          Non-Payroll Office Users\n                                                                                                          No relevant exceptions noted.\n\n                          Requests to change the payroll master    Inquired with appropriate personnel    DFAS Denver\n                          file data and withholding table are      and inspected a random sample of\n                          submitted on pre-numbered Remedy         45 Remedy tickets to confirm that:     Of the 45 Remedy tickets inspected,\n                          tickets; the numerical sequence of the                                          2 tickets were not completed within\n                          Remedy tickets is accounted for to       1) tickets are pre-numbered,           the required 3-10 day time frame.\n                          ensure that the requested changes are    2) the sequence is accounted for so    DFAS Pensacola\n                          processed timely. Access to source       that the forms are accounted for\n                          documents is controlled and key          timely,                                Of the 45 Remedy tickets inspected,\n                          source documents require signatures                                             3 tickets were not completed within\n                          from management.                         3) access to the source documents is   the required 3-10 day time frame.\n                                                                   controlled,\n                                                                                                          DFAS-Charleston\n                                                                   4) key source documents require\n                                                                   signatures from supervisory            Of the 45 Remedy tickets inspected,\n                                                                   personnel, and                         6 tickets were not completed within\n                                                                                                          the required 3-10 day time frame.\n                                                                   5) tickets are completed within the\n                                                                   required time frame.                   All Payroll Offices\n                                                                                                          Remedy tickets were not\n                                                                                                          sequentially numbered. Remedy\n                                                                                                          tickets used for testing purposes\n                                                                                                          were deleted. Documentation was\n                                                                                                          not maintained for these tickets.\n\n\n\n\n                                                         44\n\x0cNo.   Control Objective                Control Activities                      Tests Performed                            Results of Testing\n\n\n9     All application users are        Policies and procedures are             Inquired with appropriate personnel        No relevant exceptions noted.\n      appropriately identified and     documented to describe how              and read policies and procedures to\n      authenticated. Access to the     application users are appropriately     confirm that users are appropriately\n      application and output is        identified and authenticated. Access    identified and authenticated and that\n      restricted to authorized users   to the application and output is        access to the application and output is\n      for authorized purposes.         restricted to authorized users for      restricted to authorized users for\n                                       authorized purposes.                    authorized purposes.\n\n                                       Online access logs are maintained by    Inquired with appropriate personnel        No relevant exceptions noted.\n                                       the SMO and the logs are reviewed       and inspected access logs and e-mails\n                                       regularly for unauthorized access       for unauthorized access attempts to\n                                       attempts.                               confirm that logs are maintained by\n                                                                               the SMO and the logs are reviewed\n                                                                               regularly for unauthorized access\n                                                                               attempts.\n\n                                       Each operator is required to complete   Inquired with appropriate personnel        DFAS Denver\n                                       a SAAR form before being granted        and inspected a random sample of\n                                       access to the system.                   45 user authorization forms to confirm     Payroll Office Users\n                                                                               that each operator is authorized before    Of the 12 SAAR forms selected for\n                                       The ability to view, modify, or         being granted access to the system\n                                       transfer information contained in the                                              review, 1 form could not be located.\n                                                                               and that the DCPS master file and\n                                       payroll master files is restricted to   output is restricted to authorized users   Non-Payroll Office Users\n                                       authorized personnel.                   for authorized purposes.                   Of the 15 SAAR forms inspected, 1\n                                                                                                                          form did not include the completion\n                                                                                                                          date of the initial computer-based\n                                                                                                                          security training. In addition, 1 of\n                                                                                                                          the 15 SAAR forms inspected did\n                                                                                                                          not include a supervisor\xe2\x80\x99s signature.\n                                                                                                                          The ZPA database included\n                                                                                                                          42 users with supervisory-level\n                                                                                                                          access.\n                                                                                                                          DFAS Pensacola\n                                                                                                                          Payroll Office Users\n                                                                                                                          Of the nine SAAR forms selected\n                                                                                                                          for review, one form could not be\n                                                                                                                          located. Of the eight SAAR forms\n                                                                                                                          inspected, two forms did not\n\n                                                                       45\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                            Results of Testing\n\n                                                                                                              include the completion date of the\n                                                                                                              initial computer-based security\n                                                                                                              training.\n                                                                                                              Non-Payroll Office Users\n                                                                                                              Of the 26 SAAR forms selected for\n                                                                                                              review, 4 forms could not be\n                                                                                                              located. Of the 22 SAAR forms\n                                                                                                              inspected, 3 forms did not include\n                                                                                                              the completion date of the initial\n                                                                                                              computer-based security training.\n                                                                                                              In addition, 2 of the 22 SAAR\n                                                                                                              forms inspected did not include the\n                                                                                                              supervisor\xe2\x80\x99s signature.\n                                                                                                              DFAS Charleston\n                                                                                                              Payroll Office Users\n                                                                                                              Of the 24 SAAR forms selected for\n                                                                                                              review, 1 form could not be located.\n                                                                                                              Of the 23 SAAR forms inspected, 1\n                                                                                                              form did not match the level of\n                                                                                                              authorized access actually granted.\n                                                                                                              The Charleston payroll office had\n                                                                                                              133 DCPS users with access to\n                                                                                                              update time and attendance and\n                                                                                                              Master Employee data.\n                                                                                                              Non-Payroll Office Users\n                                                                                                              No relevant exceptions noted.\n\n                          Departmental managers periodically       Inquired with appropriate personnel        No relevant exceptions noted.\n                          review listings (including the           and inspected the Personnel/Payroll\n                          Personnel/Payroll Reconciliation and     Reconciliation and Control of Hours\n                          Control of Hours Report) of current      reports to confirm that they are sent to\n                          employees within their departments       management for review of employee\n                          and notify the personnel department of   listings and notification to personnel\n                          necessary changes.                       department of changes.\n\n\n\n\n                                                         46\n\x0cNo.   Control Objective                 Control Activities                      Tests Performed                          Results of Testing\n\n\n10    Controls provide reasonable       Policies and procedures are             Inquired with appropriate personnel      No relevant exceptions noted.\n      assurance that data               documented to describe how data         and read policies and procedures to\n      transmissions in DCPS from        transmissions in DCPS from              confirm that data transmissions\n      user organizations are            organizations are authorized,           between DCPS and user organizations\n      authorized, complete, accurate,   complete, accurate, and secure.         are authorized, complete, accurate,\n      and secure.                                                               and secure.\n\n                                        Compliance with the payroll             Inquired with appropriate personnel,     No relevant exceptions noted.\n                                        disbursement processing schedule is     inspected pay processing schedules,\n                                        monitored by management.                and observed the payroll disbursement\n                                                                                process to confirm the monitoring of\n                                                                                payroll disbursement processing\n                                                                                schedule by management.\n\n                                        Each operator is required to complete   Inquired with appropriate personnel      DFAS Denver\n                                        a SAAR form before being granted        and inspected a random sample of\n                                        access to the system.                   45 user authorization forms to confirm   Payroll Office Users\n                                                                                that each operator is required to have   Of the 12 SAAR forms selected for\n                                        User profiles limit what transactions   an authorization form before being\n                                        data entry personnel can input.                                                  review, 1 form could not be located.\n                                                                                granted access to the system and user\n                                                                                profiles limit what transactions data    Non-Payroll Office Users\n                                                                                entry personnel can input.               Of the 15 SAAR forms inspected, 1\n                                                                                                                         form did not include the completion\n                                                                                                                         date of the initial computer-based\n                                                                                                                         security training. In addition, 1 of\n                                                                                                                         the 15 SAAR forms inspected did\n                                                                                                                         not include a supervisor\xe2\x80\x99s signature.\n                                                                                                                         The ZPA database included\n                                                                                                                         42 users with supervisory-level\n                                                                                                                         access.\n\n\n\n\n                                                                        47\n\x0cNo.   Control Objective   Control Activities        Tests Performed   Results of Testing\n\n                                                                      DFAS Pensacola\n                                                                      Payroll Office Users\n                                                                      Of the nine SAAR forms selected\n                                                                      for review, one form could not be\n                                                                      located. Of the eight SAAR forms\n                                                                      inspected, two forms did not\n                                                                      include the completion date of the\n                                                                      initial computer-based security\n                                                                      training.\n                                                                      Non-Payroll Office Users\n                                                                      Of the 26 SAAR forms selected for\n                                                                      review, 4 forms could not be\n                                                                      located. Of the 22 SAAR forms\n                                                                      inspected, 3 forms did not include\n                                                                      the completion date of the initial\n                                                                      computer-based security training.\n                                                                      In addition, 2 of the 22 SAAR\n                                                                      forms inspected did not include the\n                                                                      supervisor\xe2\x80\x99s signature.\n                                                                      DFAS Charleston\n                                                                      Payroll Office Users\n                                                                      Of the 24 SAAR forms selected for\n                                                                      review, 1 form could not be located.\n                                                                      Of the 23 SAAR forms inspected, 1\n                                                                      form did not match the level of\n                                                                      authorized access actually granted.\n                                                                      The Charleston payroll office had\n                                                                      133 DCPS users with access to\n                                                                      update time and attendance and\n                                                                      Master Employee data.\n                                                                      Non-Payroll Office Users\n                                                                      No relevant exceptions noted.\n\n\n\n\n                                               48\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                           Results of Testing\n\n\n                          Remote terminal connections are          Inquired with appropriate personnel       No relevant exceptions noted.\n                          secured and are connected through        and observed remote terminal\n                          Government-issued computers.             connections to confirm they are\n                                                                   secured and are connected through\n                                                                   Government computers.\n\n                          Data entry terminals are connected to    Inquired with appropriate personnel       No relevant exceptions noted.\n                          the system only during specified         and observed after-hours processes to\n                          periods of the day, which corresponds    confirm terminals are not authorized\n                          with the business hours of the data      to be connected after business hours.\n                          entry personnel.\n\n                          User identification and passwords are    Inquired with appropriate personnel       No relevant exceptions noted.\n                          required to gain access to the DCPS      and observed the DCPS log-in screen\n                          application.                             to confirm that user identification and\n                                                                   passwords are required to gain access\n                                                                   to the DCPS application.\n\n                          Online access logs are maintained by     Inquired with appropriate personnel       No relevant exceptions noted.\n                          the SMO and the logs are reviewed        and inspected access logs and e-mails\n                          regularly for unauthorized access        for unauthorized access attempts to\n                          attempts.                                confirm that logs are maintained by\n                                                                   the SMO and the logs are reviewed\n                                                                   regularly for unauthorized access\n                                                                   attempts.\n\n                          Each terminal automatically              Inquired with appropriate personnel       No relevant exceptions noted.\n                          disconnects from the system when not     and observed system inactivity to\n                          used after a specified period of time.   confirm that each terminal\n                                                                   automatically disconnects from the\n                                                                   system when not used within\n                                                                   15 minutes.\n\n                          When terminals are not in use,           Inquired with appropriate personnel       No relevant exceptions noted.\n                          terminal rooms are locked or the         and observed the facility to confirm\n                          terminals are secured.                   that when terminals are not in use,\n                                                                   terminal rooms are locked or the\n                                                                   terminals were secured.\n\n\n\n                                                         49\n\x0cNo.   Control Objective                 Control Activities                         Tests Performed                          Results of Testing\n\n\n11    Controls are reasonable to        Policies and procedures are                Inquired with appropriate personnel      No relevant exceptions noted.\n      ensure that transmissions from    documented to describe how                 and read policies and procedures to\n      interfacing systems are           transactions from interfacing systems      confirm that transactions from\n      subjected to the payroll system   are subjected to the payroll system        interfacing systems are subjected to\n      edits, validations, and error-    edits, validations, and error-correction   the payroll system edits, validations,\n      correction procedures.            procedures.                                and error-correction procedures.\n\n                                        A control group is responsible for         Inquired with appropriate personnel      DFAS Denver\n                                        controlling and monitoring rejected        and inspected a random sample of\n                                        transmissions included on the              45 Personnel Interface Invalid Report    OMA Pay Database\n                                        Personnel Interface Invalid Report.        to confirm that the report is used for   Of the 45 Personnel Interface\n                                                                                   controlling and monitoring rejected      Invalid Reports inspected, 3 reports\n                                                                                   transactions.                            did not include a date indicating\n                                                                                   Selected a random sample of              when actions to correct the errors\n                                                                                   45 Personnel Interface Invalid Reports   had been completed. In addition,\n                                                                                   for the OMA pay database. In             35 of the 45 Personnel Interface\n                                                                                   addition, the ZPA pay database only      Invalid Reports inspected did not\n                                                                                   processed data for two pay periods,      include annotations indicating how\n                                                                                   therefore, we reviewed all               the errors were corrected.\n                                                                                   16 Personnel Interface Invalid Reports   ZPA Pay Database\n                                                                                   during that period at DFAS Denver.\n                                                                                   As a result, 61 Personnel Interface      Of the 16 Personnel Interface\n                                                                                   Invalid Reports were selected for        Invalid Reports inspected, 1 report\n                                                                                   review at DFAS Denver.                   did not include annotations\n                                                                                                                            indicating how the errors were\n                                                                                   Selected a random sample of              corrected.\n                                                                                   45 Personnel Interface Invalid Reports\n                                                                                   beginning on February 14, 2006, at       DFAS Pensacola\n                                                                                   DFAS Charleston.                         Of the 45 Personnel Interface\n                                                                                                                            Invalid Reports selected for review,\n                                                                                                                            1 report could not be located. Of\n                                                                                                                            the 44 Personnel Interface Invalid\n                                                                                                                            Reports inspected, 25 reports were\n                                                                                                                            annotated; however, sufficient\n                                                                                                                            detail did not exist to determine\n                                                                                                                            whether all errors within the report\n                                                                                                                            were resolved.\n\n\n\n\n                                                                         50\n\x0cNo.   Control Objective   Control Activities                         Tests Performed                         Results of Testing\n\n                                                                                                             In addition, 19 of the 44 Personnel\n                                                                                                             Interface Invalid Reports inspected\n                                                                                                             were annotated in Microsoft Word,\n                                                                                                             but did not include the annotator\xe2\x80\x99s\n                                                                                                             signature or date of annotation.\n                                                                                                             DFAS Charleston\n                                                                                                             Personnel Interface Invalid Reports\n                                                                                                             were neither annotated, nor\n                                                                                                             available for review July 1, 2005,\n                                                                                                             through February 13, 2006.\n                                                                                                             Of the 45 Personnel Interface\n                                                                                                             Invalid Reports selected for review,\n                                                                                                             3 reports could not be provided.\n                                                                                                             None of the 42 Personnel Interface\n                                                                                                             Invalid Reports inspected included\n                                                                                                             a signature, date, and annotations\n                                                                                                             indicating how the errors were\n                                                                                                             corrected.\n\n                          The data processing control group          Inquired with appropriate personnel     No relevant exceptions noted.\n                          maintains a schedule by application        and inspected schedules used by the\n                          that shows when outputs should be          data processing group to confirm that\n                          completed, when they need to be            they:\n                          distributed, who the recipients are, and\n                          the number of copies needed; reviews       1) maintain a schedule by application\n                          output products for general                that shows when outputs need to be\n                          acceptability; and reconciles control      completed, when they need to be\n                          information to determine                   distributed, who the recipients are,\n                          completeness of processing.                and the number of copies needed;\n                                                                     2) review output products for general\n                                                                     acceptability; and\n                                                                     3) reconcile control information to\n                                                                     determine completeness of\n                                                                     processing.\n\n                          The system provides an audit trail of      Inquired with appropriate personnel     No relevant exceptions noted.\n                          all transactions processed, transaction    and inspected audit trails to confirm\n                          errors, error descriptions, and error      that payroll technicians captured,\n                          correction procedures. Inquire             reported, investigated, and corrected\n\n                                                          51\n\x0cNo.   Control Objective               Control Activities                         Tests Performed                            Results of Testing\n\n                                      whether audit trails are reviewed by       erroneous transactions and those\n                                      supervisory personnel. Inquire             transactions were reviewed by\n                                      whether payroll technicians capture,       supervisory personnel.\n                                      report, investigate, and correct\n                                      erroneous data.\n\n                                      For interfacing systems, record counts     Inquired with appropriate personnel        No relevant exceptions noted.\n                                      are accumulated and compared to            and inspected interface files to\n                                      footer control totals to help determine    confirm that record counts match\n                                      the completeness of interface              control totals in the footer and out-of-\n                                      processing. Out-of-balance conditions      balance conditions were reported,\n                                      are reported, corrected, and re-entered.   corrected, and re-entered.\n\n                                      Batch transactions without pre-            Observed the batch process to confirm      No relevant exceptions noted.\n                                      assigned serial numbers are                that transactions without pre-assigned\n                                      automatically assigned a unique            serial numbers were automatically\n                                      sequence number which is used by the       assigned a unique sequence number.\n                                      computer for ensuring that all\n                                      transactions are processed.\n\n12    Controls provide reasonable     Policies and procedures are                Inquired with appropriate personnel        No relevant exceptions noted.\n      assurance that personnel        documented to describe how                 and read policies and procedures to\n      payroll records and other       personnel payroll records and other        confirm that personnel payroll records\n      sensitive information is        sensitive information is maintained        and other sensitive information is\n      maintained and disposed of in   and disposed of in accordance with         maintained and disposed of in\n      accordance with Government-     Government-wide and agency specific        accordance with Government-wide\n      wide and agency specific        guidelines.                                and agency specific guidelines.\n      guidelines.\n                                      All documents and storage media are        Inquired with appropriate personnel        No relevant exceptions noted.\n                                      stored in physically and                   and observed storage processes to\n                                      environmentally secure containers.         confirm documents and storage media\n                                                                                 are properly stored in environmentally\n                                                                                 secure containers.\n\n                                      All visitors to the payroll offices must   Inquired with appropriate personnel        No relevant exceptions noted.\n                                      sign-in and out with the authorized        and inspected visitor logs at the\n                                      security personnel.                        payroll offices to confirm that visitors\n                                                                                 signed in and out with the authorized\n                                                                                 security personnel.\n\n\n\n                                                                       52\n\x0cNo.   Control Objective   Control Activities                       Tests Performed                       Results of Testing\n\n\n                          All terminals and payroll records are    Inquired with appropriate personnel   No relevant exceptions noted.\n                          located in physically secured            and observed the terminal rooms to\n                          locations.                               confirm the rooms are physically\n                                                                   secure.\n\n                          Users dispose of personnel and payroll   Inquired with appropriate personnel   No relevant exceptions noted.\n                          records in accordance with               and observed destruction bins to\n                          Government-wide and agency-specific      confirm that payroll records are\n                          guidelines.                              disposed of in accordance with\n                                                                   Government-wide and agency-specific\n                                                                   guidelines.\n\n\n\n\n                                                          53\n\x0cGeneral Computer Control Objectives, Control Activities, Tests Performed, and Results of Testing\n\n\nNo.       Control Objectives                 Control Activities                     Tests Performed                           Results of Testing\n\n          Enterprise-Wide Security\n          Program Planning\n\n          Risks are periodically assessed.   DECC SMC Mechanicsburg and             DISA                                      DISA FSO\n1                                            DFAS TSOPE\n                                                                                    Inquired of the Information System        An SRR was not completed\n                                             DoD and DFAS policy direct an annual   Security Officer and related security     with in the last 3 years for the\n                                             IA review. Review appropriate          personnel how often the risk              LPAR where the DCPS\n                                             documentation to ensure that these     assessment process occurs.                application was housed.\n                                             processes are completed.\n                                                                                    Inspected the latest Risk Assessment\n                                                                                    that was included with the SSAA to\n                                                                                    confirm that risks are periodically\n                                                                                    assessed.\n                                                                                    Inquired of appropriate personnel about\n                                                                                    the SRR process and determined how\n                                                                                    often SRRs occur and if deficiencies\n                                                                                    and corrective actions are tracked.\n                                                                                    Selected a sample of SRRs performed\n                                                                                    and inspected the Vulnerability\n                                                                                    Management System (VMS) reports to\n                                                                                    confirm that findings identified by the\n                                                                                    SRR process have been addressed.\n                                                                                    Requested the following documents:\n                                                                                    Facility Risk Assessment, System\n                                                                                    Administrator (SA) Report, DCPS\n                                                                                    Local Exemptions, DCPS Specific\n                                                                                    Audit Server Findings (SRR Report),\n                                                                                    and the Automated Information System\n                                                                                    Connectivity Process.\n                                                                                    DFAS\n                                                                                    Inquired of the Information Systems\n                                                                                    Security Officer and related security\n                                                                                    personnel how often the risk\n                                                                                    assessment process occurs.\n\n\n\n\n                                                                        54\n\x0cNo.   Control Objectives                  Control Activities                        Tests Performed                             Results of Testing\n                                                                                    Inspected the lasted Risk Assessment\n                                                                                    that was included with the SSAA to\n                                                                                    confirm that risks are periodically\n                                                                                    assessed.\n                                                                                    Determined what other internal\n                                                                                    processes (if any) DFAS performs to\n                                                                                    assess risks\n\n2     A security plan is documented,      DFAS TSOPE                                DFAS                                        No relevant exceptions noted.\n      approved, and kept current.\n                                          DoD and DFAS policy direct an annual      Inspected the DCPS SSAA to confirm\n                                          IA review. Review appropriate             it has been documented, approved by\n                                          documentation to ensure that these        management, and kept current.\n                                          processes are accomplished.\n                                                                                    Inspected DCPS Systems Security\n                                                                                    Policy, Security Requirements, and\n                                                                                    Certification Test and Evaluation Plan\n                                                                                    and Procedures to confirm that each\n                                                                                    has been updated.\n\n3     A security management structure     DECC SMC Mechanicsburg                    DISA                                        No relevant exceptions noted.\n      has been established, and\n      information security                The DECC SMC Mechanicsburg                Confirmed through inquiry that a\n      responsibilities are assigned,      SSAA includes Appendix J, \xe2\x80\x9cSystem         management structure had been\n      clearly defined, and in place for   Rules of Behavior,\xe2\x80\x9d which describes       established.\n      all personnel.                      IA operations of the DoD information\n                                          system and clearly delineates IA          Obtained and inspected the security\n                                          responsibilities and expected behaviors   management organization chart.\n                                          of all personnel.                         Requested one position description for\n                                                                                    each function listed on the organization\n                                                                                    chart to confirm that all positions were\n                                                                                    established in writing.\n                                                                                    Inspected the SSAA for the security\n                                                                                    management structure. Confirmed that\n                                                                                    each position function is outlined in the\n                                                                                    SSAA.\n                                                                                    Inspected the SSAA for security\n                                                                                    management responsibilities.\n                                                                                    Confirmed that each position is\n                                                                                    outlined in the SSAA and is filled and\n                                                                                    that personnel understand their\n                                                                                    responsibilities.\n\n\n                                                                       55\n\x0cNo.   Control Objectives              Control Activities                           Tests Performed                              Results of Testing\n                                                                                   Inspected signed rules of behavior\n                                                                                   statements for the DISA personnel with\n                                                                                   access to DCPS and the underlying\n                                                                                   operating system.\n\n4     Owners and users are aware of   DECC SMC Mechanicsburg                       DISA                                         No relevant exceptions noted.\n      security policies.\n                                      Ongoing security awareness                   Inspected the Security Awareness\n                                      curriculum includes: New Employee            Training materials.\n                                      Security Briefing; Annual Security\n                                      Briefing; IA Awareness Training;             Selected a random sample of\n                                      Courier Briefing; SF 312 Non-                employees and inspected their training\n                                      Disclosure Briefing; Antiterrorism           files to confirm the completion of\n                                      Force Protection Briefing; and SA            necessary security training and that\n                                      Training.                                    training has been signed off by a\n                                                                                   supervisor.\n                                      A Security page on Command Intranet\n                                      site has been established.                   Inspected the training sign-in sheets to\n                                                                                   confirm that employees had attended\n                                      DFAS TSOPE                                   annual training.\n                                      Ongoing security awareness programs          Obtained evidence that management\n                                      that include initial training and periodic   has active security awareness programs\n                                      refresher training have been                 in place (that is electronic mail files or\n                                      established.                                 other policy distribution mechanisms)\n                                                                                   that proactively emphasized the\n                                                                                   security policies to data owners and\n                                                                                   users.\n                                                                                   DFAS\n                                                                                   Inspected the Security Awareness\n                                                                                   Training materials.\n                                                                                   Obtained a list of employees who have\n                                                                                   access to DCPS.\n                                                                                   Selected a random sample of\n                                                                                   employees who have DCPS access and\n                                                                                   inspected their training files to confirm\n                                                                                   the completion of necessary security\n                                                                                   training and that training has been\n                                                                                   signed off by a supervisor.\n                                                                                   Inspected the training sign-in sheets to\n                                                                                   confirm that employees had attended\n                                                                                   annual training.\n\n                                                                     56\n\x0cNo.   Control Objectives                   Control Activities                    Tests Performed                              Results of Testing\n                                                                                 Obtained evidence that management\n                                                                                 has active security awareness programs\n                                                                                 in place (that is electronic mail files or\n                                                                                 other policy distribution mechanisms)\n                                                                                 that proactively emphasized the\n                                                                                 security policies to data owners and\n                                                                                 users.\n\n5     An incident response capability      DECC SMC Mechanicsburg                DISA                                         No relevant exceptions noted.\n      has been implemented.\n                                           DISA Policy Letter 05-04, \xe2\x80\x9cComputer   Confirmed through inspection that the\n                                           Security Incident Handling and        incident plan detailed in the SSAA has\n                                           Reporting,\xe2\x80\x9d May 4, 2005, has been     been implemented.\n                                           implemented.\n                                                                                 Obtained a list of all incidents that\n                                                                                 occurred during the audit period.\n                                                                                 Selected a random sample of incidents\n                                                                                 to confirm that the incident response\n                                                                                 plan was being followed.\n\n6     Hiring, transfer, termination, and   DECC SMC Mechanicsburg                DISA                                         DISA DECC SMC\n      performance policies address                                                                                            Mechanicsburg\n      security.                            Personnel and Industrial Security     Inspected the hiring, transfer,\n                                           Program(s) are implemented in         termination, and performance policies        Of the 23 Personnel Out-\n                                           accordance with DoD Directive         to confirm they are documented and           Processing Forms reviewed,\n                                           5200.2-R, \xe2\x80\x9cDoD Personnel Security     address security.                            1 form did not include a\n                                           Program,\xe2\x80\x9d April 9, 1999, DoD                                                       signature and date indicating\n                                           Instruction 8500.2, \xe2\x80\x9cInformation      Confirmed through inquiry that               that access to the mainframe\n                                           Assurance Implementation,\xe2\x80\x9d            debriefs were conducted when                 was removed.\n                                           February 6, 2003, and the Computing   employees were terminated and that a\n                                           Services Security Handbook,           DISA Form 70 is used to note the             Of the 23 Personnel Out-\n                                           February 27, 2006.                    collection of DISA property.                 Processing Forms reviewed,\n                                                                                                                              1 form included appropriate\n                                                                                 Confirmed through observation that an        approval to remove access to the\n                                                                                 e-mail was sent to the SA to request         mainframe; however, the form\n                                                                                 that system access be removed for a          was not dated.\n                                                                                 terminated employee.\n\n\n\n\n                                                                      57\n\x0cNo.   Control Objectives                 Control Activities                           Tests Performed                            Results of Testing\n                                                                                                                                 Of the 23 Personnel Out-\n                                                                                                                                 Processing Forms reviewed,\n                                                                                                                                 2 forms indicated mainframe\n                                                                                                                                 system access was removed\n                                                                                                                                 after the employees left DECC\n                                                                                                                                 SMC Mechanicsburg. As a\n                                                                                                                                 mitigating circumstance, all the\n                                                                                                                                 users listed on these forms did\n                                                                                                                                 not have access to DCPS.\n\n7     A training program is              DECC SMC Mechanicsburg                       DISA                                       DECC SMC Mechanicsburg\n      implemented to provide\n      assurance that employees have      A robust Security Awareness                  Confirmed through inquiry that a           A structured functional training\n      adequate training and expertise.   curriculum that includes: New                training program had been established.     program had not been\n                                         Employee Security Briefing, Annual                                                      established at DECC SMC\n                                         Security Briefing, information               Requested documentation to confirm         Mechanicsburg for all\n                                         assurance Awareness Training, Courier        the existence of this training program.    Government personnel and\n                                         Briefing, SF 312 Non-Disclosure              If training is conducted in-house,         contractors with access to the\n                                         Briefing, Antiterrorism Force                inspected training materials to confirm    DCPS mainframe. In addition,\n                                         Protection Briefing, and SA training         that they provided personnel with          a process did not exist to\n                                         has been implemented.                        adequate training and expertise.           independently verify that\n                                                                                                                                 personnel had completed\n                                         DFAS TSOPE                                   Selected a random sample of training       training and submitted training\n                                         Ongoing security awareness programs          records for employees who had access       completion certificates.\n                                         that include initial training and periodic   to DCPS. Inspected the training            However, DECC SMC\n                                         refresher training is implemented.           records to ensure functional job           Mechanicsburg has a process for\n                                                                                      training was occurring.                    users to obtain training.\n                                         Additionally, the DCPS SSAA\n                                         includes Appendix J, \xe2\x80\x9cSystem Rules of        DFAS\n                                         Behavior,\xe2\x80\x9d which describes the IA            Confirmed through inquiry that a\n                                         operations of the DoD information            training program has been established.\n                                         system and clearly delineates IA\n                                         responsibilities and expected behavior       Requested documentation to confirm\n                                         of all personnel.                            the existence of this training program.\n                                                                                      If training is conducted in-house\n                                                                                      inspected training materials to confirm\n                                                                                      that they provided personnel with\n                                                                                      adequate training and expertise and that\n                                                                                      they are up to date.\n\n\n\n\n                                                                        58\n\x0cNo.   Control Objectives                   Control Activities                       Tests Performed                            Results of Testing\n                                                                                    Selected a random sample of\n                                                                                    employees who had access to DCPS.\n                                                                                    Inspected the training records to ensure\n                                                                                    that functional job training was\n                                                                                    occurring.\n\n8     Management periodically              DECC SMC Mechanicsburg                   DISA                                       DISA FSO\n      assesses the appropriateness of\n      security policies and compliance     The Director\xe2\x80\x99s Policy Letters and        Interviewed the Security Manager to        An SRR was not completed\n      with them.                           standard operating procedures are        obtain an understanding of how             within the last 3 years for the\n                                           reviewed and updated. An SRR is          management assessed appropriateness        LPAR where the DCPS\n                                           conducted at least once every 3 years.   of and compliance with security            application was housed.\n                                                                                    policies.\n                                                                                    Inspected the DCPS Security\n                                                                                    Requirements and Information Systems\n                                                                                    Security Policy Certification Test and\n                                                                                    Evaluation Procedures to confirm that\n                                                                                    an annual IA review was conducted\n                                                                                    and that comprehensive vulnerability\n                                                                                    management was in place.\n\n9     Management ensures that              DECC SMC Mechanicsburg                   DISA                                       DISA FSO\n      corrective actions are effectively\n      implemented.                         The VMS is used to track findings        Inquired of appropriate personnel about    An SRR was not completed\n                                           identified during the SRR process.       the SRR process to confirm that            within the last 3 years for the\n                                           DECC SMC Mechanicsburg                   corrective actions are effectively         LPAR where the DCPS\n                                           management is responsible for tracking   implemented for identified SRR             application was housed.\n                                           and closing all findings that resulted   findings.\n                                           from the SRR process.\n                                                                                    Selected a random sample of SRRs and\n                                           DFAS TSOPE                               inspected the VMS reports to confirm\n                                                                                    that findings identified by the SRR\n                                           Management tracks prior audit reports    process have been addressed.\n                                           and confirms that observations are\n                                           corrected in a timely manner.            Requested prior audit reports or\n                                                                                    reviews and determined if remediation\n                                                                                    has occurred for the findings and\n                                                                                    recommendations contained within\n                                                                                    those reports.\n\n\n\n\n                                                                        59\n\x0cNo.   Control Objectives                 Control Activities                          Tests Performed                            Results of Testing\n                                                                                     DFAS\n                                                                                     Requested prior audit reports or\n                                                                                     reviews and determined if remediation\n                                                                                     has occurred for the findings and\n                                                                                     recommendations presented within\n                                                                                     those reports.\n\n10    A comprehensive vulnerability      DECC SMC Mechanicsburg                      DISA                                       DISA FSO\n      management process that\n      includes the systematic            Vulnerabilities are tracked in the VMS      Inspected the vulnerability                An SRR was not completed\n      identification and mitigation of   database. Prior to connecting to the        management policy and documentation        within the last 3 years for the\n      software and hardware              network, the SA must run a VS08             to confirm that the process includes       LPAR where the DCPS\n      vulnerabilities is in place.       report detailing IA Vulnerability           systematic identification and mitigation   application was housed.\n                                         Management notices for the asset's          of software and hardware\n                                         operating system. All IA Vulnerability      vulnerabilities.\n                                         Management notices must be\n                                         mitigated, and applicable patches           Inspected a random sample of\n                                         loaded prior to connecting the asset to     vulnerability assessments to confirm\n                                         the network. Once all checklists have       that vulnerabilities were identified and\n                                         been applied from the STIG and the          resolved.\n                                         vulnerability alerts have been installed,   Obtained the VMS reports for the audit\n                                         a SRR and an information security scan      period for DCPS and confirmed\n                                         will be conducted on the operating          vulnerabilities were tracked and\n                                         system. Security assessments that           resolved in a timely manner.\n                                         require a scan will use the Internet\n                                         Security Scanner and the FSO Full\n                                         Scan Policy. The scan will be\n                                         conducted using a direct connection\n                                         from the system running Internet\n                                         Security Scanner to the system being\n                                         assessed or the site is authorized to\n                                         connect the asset to an isolated network\n                                         during the Internet security scan. Each\n                                         site will place their self-assessment in\n                                         the Security Readiness Review\n                                         Database. If the systems have a\n                                         database, web server, or any other\n                                         software that has a STIG, they must go\n                                         through a FSO SRR and the results put\n                                         in the self-assessment of the SRR\n                                         database.\n\n\n\n\n                                                                       60\n\x0cNo.   Control Objectives                    Control Activities                         Tests Performed                           Results of Testing\n\n11    Changes to the DoD information        DFAS TSOPE                                 DFAS                                      DFAS TSOPE\n      systems are assessed for IA and\n      accreditation impact prior to         All changes made are captured in the       Inspected evidence that management        The configuration management\n      implementation.                       Change Management Information              assesses if a change is IA compliant      process required only program\n                                            System. Information for each change        and if the change impacts accreditation   code changes to be assessed and\n                                            record includes the requested time and     before moving the change into the         evaluated for IA impact. Of the\n                                            date of implementation, the action to      production environment.                   45 changes reviewed, 24\n                                            occur, and justification of the action.                                              changes impacted program\n                                                                                                                                 code. Of the 24 changes\n                                                                                                                                 impacting program code, 5\n                                                                                                                                 changes were not assessed and\n                                                                                                                                 evaluated by the IA Officer for\n                                                                                                                                 IA impact.\n\n12    A DoD reference document              DECC SMC Mechanicsburg                     DISA                                      No relevant exceptions noted.\n      constitutes the primary source for\n      security configuration or             DISA has developed and requires            Inspected the DISA Database STIG,\n      implementation guidance for the       compliance with the STIGs appropriate      DISA UNIX STIG, and DISA\n      deployment of newly acquired          to the operating system, application, or   Instruction Information Systems\n      IA and IA-enabled information         hardware.                                  Security Program 630-230-19 to\n      technology (IT) products.                                                        confirm that those policies constitute\n                                                                                       the primary source configuration or\n                                                                                       implementation guidance for the\n                                                                                       deployment of newly acquired IA and\n                                                                                       IA-enabled products.\n\n      Access Controls\n\n13    Application owners have               DFAS TSOPE                                 DFAS                                      No relevant exceptions noted.\n      determined classification of\n      resources, and related criteria for   Management has classified DCPS             Inspected the DCPS SSAA and\n      access administration have been       according to appropriate MAC level         confirmed that a MAC level had been\n      established.                          standards.                                 assigned to DCPS.\n                                                                                       Inquired with data owners and\n                                                                                       confirmed that a MAC level had been\n                                                                                       assigned to DCPS.\n\n\n\n\n                                                                          61\n\x0cNo.   Control Objectives                   Control Activities                      Tests Performed                           Results of Testing\n\n14    Resource owners have a process       DFAS TSOPE                              DFAS                                      No relevant exceptions noted.\n      in place to identify users and all\n      user access is authorized.           The SAAR form is used to identify       Requested a complete DCPS user list.\n                                           authorized users and control their\n                                           access to DCPS.                         Selected a random sample of 45 user\n                                                                                   forms from the list. Inspected the user\n                                                                                   SAAR forms for existence and\n                                                                                   management\xe2\x80\x99s approval.\n                                                                                   Observed the application to confirm\n                                                                                   that users possessed valid user\n                                                                                   identification and a password to gain\n                                                                                   access to the system.\n                                                                                   Interviewed the system owner (DFAS)\n                                                                                   and inspected supporting\n                                                                                   documentation to confirm that\n                                                                                   unauthorized access to the system is\n                                                                                   removed in a timely manner.\n                                                                                   Interviewed Security Managers and\n                                                                                   confirmed that Security Managers\n                                                                                   provided appropriate supporting\n                                                                                   documentation.\n                                                                                   Obtained a representative sample of\n                                                                                   user profile changes and activity logs\n                                                                                   and confirmed that management\n                                                                                   reviewed the changes and logs.\n                                                                                   Obtained a list of recently terminated\n                                                                                   employees from the Human Resources\n                                                                                   Department. Selected a representative\n                                                                                   sample of terminated employees and\n                                                                                   confirmed that system access had been\n                                                                                   promptly terminated.\n\n15    Emergency and temporary access       DECC SMC Mechanicsburg                  DISA                                      No relevant exceptions noted.\n      authorization is controlled.\n                                           Emergency and temporary access          Inspected the emergency and\n                                           authorization is controlled in          temporary access policy.\n                                           accordance with DoD 5200.1-R, DoD\n                                           5200.2-R, DoD Directive 8500.1, DoD\n                                           Instruction 8500.2, and the Computing\n                                           Services Security Handbook.\n\n\n                                                                       62\n\x0cNo.   Control Objectives               Control Activities                        Tests Performed                             Results of Testing\n                                                                                 Selected a random sample of\n                                                                                 emergency and temporary access\n                                                                                 requests to confirm that:\n                                                                                     \xe2\x80\xa2    the authorization was\n                                                                                          approved and that access was\n                                                                                          closed in a timely manner.\n                                                                                     \xe2\x80\xa2    the emergency and temporary\n                                                                                          access list was periodically\n                                                                                          reviewed.\n                                                                                     \xe2\x80\xa2    all temporary access\n                                                                                          authorizations were\n                                                                                          established for least privileged\n                                                                                          need-to-know access.\n\n16    Owners determine disposition     DFAS TSOPE                                DFAS                                        DFAS SMO\n      and sharing of data.\n                                       Policies and procedures that govern the   Inspected documents authorizing file        Of the 109 systems that\n                                       sharing of data are documented in the     sharing and file sharing agreements and     interface with DCPS, 79 did not\n                                       SSAA.                                     confirmed that the owners approve the       have a documented\n                                                                                 sharing of data. In many cases those        memorandum of agreement in\n                                                                                 documents are called memorandums of         place.\n                                                                                 agreement or Service-Level\n                                                                                 agreements.\n                                                                                 Inspected the DCPS SSAA and\n                                                                                 confirmed that a MAC level had been\n                                                                                 assigned to DCPS.\n                                                                                 Inquired with data owners (DFAS) and\n                                                                                 confirmed that a MAC level had been\n                                                                                 assigned to DCPS.\n\n17    Adequate physical security       DECC SMC Mechanicsburg                    DISA                                        No relevant exceptions noted.\n      controls have been implemented\n      that are commensurate with the   All DISA facilities at DECC SMC           Observed and documented the physical\n      risks of physical damage or      Mechanicsburg are locked at all times.    safeguards in place and confirmed that\n      access.                          Access is restricted using proximity      safeguards are established to mitigate\n                                       cards with personal identification        the risk of physical damage or access.\n                                       number technology, which are\n                                       controlled and issued by the Security     Observed that facility penetration\n                                       Manager.                                  testing processes are in place to include\n                                                                                 periodic, unannounced attempts to\n                                                                                 penetrate key computing facilities. In\n                                                                                 addition, we observed that every\n\n                                                                    63\n\x0cNo.   Control Objectives         Control Activities                        Tests Performed                          Results of Testing\n                                 The Naval Inventory Control Point         physical access point that displays\n                                 conducts periodic, unannounced            sensitive information or unclassified\n                                 penetration testing to confirm that       information that had not been cleared\n                                 physical security is adequate.            for release was controlled during\n                                                                           business hours and guarded or locked\n                                 The DECC SMC Mechanicsburg                during non-business hours.\n                                 SSAA requires the Security Office to\n                                 perform physical security inspections.\n\n18    Visitors are controlled.   DECC SMC Mechanicsburg                    DISA                                     DECC SMC Mechanicsburg\n                                 Visitor access is controlled in           Inspected visitor access policies and    Of the 45 daily visitor logs\n                                 accordance with DoD 5200.2-R, DoD         procedures to confirm those policies     reviewed, 1 log did not include\n                                 5200.1-R, and the Computing Services      are documented.                          completed information for each\n                                 Security Handbook. DECC SMC                                                        visitor that entered DECC SMC\n                                 Mechanicsburg uses access control         Observed the visitor sign-in and sign-   Mechanicsburg that day. As a\n                                 databases, proximity cards with           out process.                             mitigating circumstance, the\n                                 personal identification number            Confirmed through inquiry that all       visitor was signed out by DECC\n                                 technology, vetted badge exchange,        visitors are escorted.                   SMC Mechanicsburg personnel,\n                                 visitor logs, and visit authorization                                              but the time the visitor left was\n                                 Requests.                                 Confirmed through inquiry and            not completed in the log.\n                                                                           observation that visitor access to DoD\n                                 DFAS TSOPE                                information was determined by both its   DFAS TSOPE\n                                 All visitors must sign in and sign out    classification and user need-to-know.    Of the 45 daily visitor logs\n                                 with the guard on duty.                   DFAS                                     selected for review, 11 logs\n                                                                                                                    could not be located. Of the 34\n                                 The DCPS SSAA requires all non-           Inspected visitor access policies and    logs reviewed, 12 logs did not\n                                 cleared personnel to be escorted at all   procedures to confirm that those         include completed information\n                                 times while inside the building.          policies are documented.                 for each visitor that entered\n                                                                           Observed the visitor check-in and        DFAS TSOPE on those days.\n                                                                           check-out process.                       As a mitigating circumstance,\n                                                                                                                    the facility is protected by\n                                                                           Confirmed through inquiry that all       access-control locks and all\n                                                                           visitors are escorted.                   visitors must be escorted by\n                                                                                                                    DFAS employees.\n                                                                           Confirmed through inquiry and\n                                                                           observation that visitor access to DoD\n                                                                           information was determined by both its\n                                                                           classification and user need-to-know.\n\n\n\n\n                                                               64\n\x0cNo.   Control Objectives                 Control Activities                      Tests Performed                           Results of Testing\n\n19    Adequate logical access controls   DFAS TSOPE                              DFAS                                      DFAS TSOPE\n      have been implemented at the\n      application layer.                 User identification and passwords are   Observed that each user account was       The current version of ACF2\n                                         configured according to DoD             assigned a security profile that          allowed for password character\n                                         standards.                              restricted access by module, program,     complexity as required by DoD\n                                                                                 unit identification code, and hand        Instruction 8500.2. However,\n                                                                                 receipt.                                  DCPS was not configured to use\n                                                                                                                           the complex characters and,\n                                                                                 Requested a complete DCPS user list.      therefore, was not in compliance\n                                                                                 Selected a random sample of DCPS          with DoD Instruction 8500.2.\n                                                                                 users from the list and inspected their   As a mitigating circumstance,\n                                                                                 SAAR forms to confirm that the forms      DCPS is still subject to\n                                                                                 existed and were approved by              password controls that included\n                                                                                 management.                               periodic changing and minimum\n                                                                                 Inquired with DFAS personnel to           character lengths.\n                                                                                 confirm that users possessed valid user   In addition, the password\n                                                                                 identification and a password to gain     configuration requirements\n                                                                                 access to the system.                     cannot be changed unless DFAS\n                                                                                 Interviewed the system owner (DFAS)       requests complex password\n                                                                                 and inspected supporting                  configuration.\n                                                                                 documentation to confirm that\n                                                                                 unauthorized access to the system is\n                                                                                 removed in a timely manner.\n                                                                                 Interviewed Security Managers and\n                                                                                 confirmed that Security Managers\n                                                                                 provided appropriate supporting\n                                                                                 documentation.\n                                                                                 Confirmed through inquiry that profile\n                                                                                 changes are not recorded in activity\n                                                                                 logs. All profile changes are\n                                                                                 completed on the SAAR forms, and\n                                                                                 this form requires management\xe2\x80\x99s\n                                                                                 approval.\n                                                                                 Obtained a list of recently terminated\n                                                                                 employees from the Human Resources\n                                                                                 Department. Selected a representative\n                                                                                 sample of terminated employees and\n                                                                                 confirmed that system access had been\n                                                                                 promptly terminated.\n\n\n\n                                                                      65\n\x0cNo.   Control Objectives                   Control Activities                       Tests Performed                            Results of Testing\n\n20    Passwords, tokens, or other          DECC SMC Mechanicsburg and               DISA                                       DFAS TSOPE\n      devices are used to identify and     DFAS TSOPE\n      authenticate users.                                                           Confirmed through inquiry and              The current version of ACF2\n                                           Multiple layers of access controls are   observation that passwords are used to     allowed for password character\n                                           used including: common access card       authenticate users.                        complexity as required by DoD\n                                           and personal identification number,                                                 Instruction 8500.2. However,\n                                           DCPS user identification and             Inspected system parameters to ensure      DCPS was not configured to use\n                                           password, and a Regional Support         that the system requires user              the complex characters and,\n                                           Activity SecurID for Database            identification and a password.             therefore, was not in compliance\n                                           Administration, Configuration            Inspected the Security Account             with DoD Instruction 8500.2.\n                                           Management, Security, and Technical      Creation Guide to confirm that             As a mitigating circumstance,\n                                           Support.                                 authentication devices were in             DCPS is still subject to\n                                                                                    compliance with DoD standards.             password controls that included\n                                                                                                                               periodic changing and minimum\n                                                                                    DFAS                                       character lengths.\n                                                                                    Observed DCPS login procedures to          In addition, the password\n                                                                                    confirm that users needed valid user       configuration requirements\n                                                                                    identification and a password to gain      cannot be changed unless DFAS\n                                                                                    access to the system.                      requests complex password\n                                                                                    Inspected system parameters to ensure      configuration.\n                                                                                    that the system requires user\n                                                                                    identification and a password.\n\n21    Access paths are identified as       DECC SMC Mechanicsburg                   DISA                                       No relevant exceptions noted.\n      part of a risk analysis and\n      documented in an access path         Access paths are identified as part of   Confirmed through inquiry that user\n      diagram.                             the DECC SMC Mechanicsburg               management controls, firewalls,\n                                           enclave SSAA and documented in the       intrusion detection systems (IDS), and\n                                           network diagram within the SSAA.         authentications were used to control\n                                                                                    network access.\n                                           Firewalls and routers are used to\n                                           restrict access within the network.      Obtained and inspected the network\n                                                                                    diagrams for DECC SMC\n                                                                                    Mechanicsburg to confirm that access\n                                                                                    paths were documented and monitored\n                                                                                    by IDSs.\n\n22    Access is restricted to data files   DECC SMC Mechanicsburg                   DISA                                       DECC SMC Mechanicsburg\n      and software programs.\n                                           The System Support Office, a unit        Confirmed through inquiry and              Of the 45 SAAR forms\n                                           independent of DECC SMC                  inspection of a list of the root access    reviewed, 4 forms did not\n                                           Mechanicsburg operations, is             users for the DCPS servers that the        include justification for granting\n                                           responsible for maintaining the system   access restrictions had been established   access to DCPS. In addition, 1\n\n\n                                                                         66\n\x0cNo.   Control Objectives               Control Activities                         Tests Performed                             Results of Testing\n                                       libraries. Access to system libraries is   for data files and software programs.       of the 45 SAAR forms reviewed\n                                       restricted to authorized individuals.                                                  did not indicate the organization\n                                                                                  Inspected the access logs and inquired      requesting access for the user.\n                                                                                  with management whether access logs\n                                                                                  were reviewed for unauthorized access\n                                                                                  and whether system libraries were\n                                                                                  managed and maintained to protect\n                                                                                  privileged programs.\n                                                                                  Inspected a random sample of SAAR\n                                                                                  forms to confirm that each form\n                                                                                  includes the user\xe2\x80\x99s justification for\n                                                                                  access, security clearance level, and\n                                                                                  approval from management.\n\n23    Access settings have been        DECC SMC Mechanicsburg                     DISA                                        DECC SMC Mechanicsburg\n      implemented in accordance with\n      the access authorizations        Access settings have been implemented      Inspected a random sample of                Of the 45 SAAR forms\n      established by the resource      in accordance with the access              45 SAAR forms to confirm that each          reviewed, 4 forms did not\n      owners.                          authorization established by signature     form includes the user\xe2\x80\x99s justification      include justification for granting\n                                       authority of the resource owner on the     for access, security clearance level, and   access to DCPS. In addition, 1\n                                       SAAR form and in accordance with           approval from management.                   of the 45 SAAR forms reviewed\n                                       DoD Directive 8500.1, DoD                                                              did not indicate the organization\n                                       Instruction 8500.2, and DISA STIGs.        DFAS                                        requesting access for the user.\n                                       DFAS TSOPE                                 Observed that each user account was         DFAS TSOPE\n                                                                                  assigned a security profile that\n                                       The Technical Support Office assigns       restricted access by module or              DFAS TSOPE Database\n                                       security profiles to each user\xe2\x80\x99s           program.                                    Administrators had unrestricted\n                                       identification based on need-to-know                                                   access and made changes\n                                       as demonstrated by an approved SAAR                                                    directly to payroll data recorded\n                                       form. TSOPE Database                                                                   in IDMS by using a Data\n                                       Administrators also assign security                                                    Manipulation Language Online\n                                       profiles to development users through                                                  tool. Although those changes\n                                       IDMS, which restricts access to                                                        were recorded in an audit log,\n                                       program libraries and databases.                                                       TSOPE management did not\n                                                                                                                              review those logs regularly to\n                                                                                                                              determine whether the changes\n                                                                                                                              were appropriate and had been\n                                                                                                                              approved.\n                                                                                                                              In addition, three active user\n                                                                                                                              accounts on the IDMS user\n                                                                                                                              access list were identified;\n                                                                                                                              however, those accounts were\n                                                                                                                              not associated with personnel\n\n                                                                      67\n\x0cNo.   Control Objectives                Control Activities                         Tests Performed                    Results of Testing\n                                                                                                                      who needed that type of access.\n                                                                                                                      Specifically, one account was\n                                                                                                                      for an individual no longer\n                                                                                                                      employed by DFAS TSOPE,\n                                                                                                                      one account was a duplicate\n                                                                                                                      account, and one account was\n                                                                                                                      for an individual that no longer\n                                                                                                                      required that level of access.\n                                                                                                                      However, as a mitigating\n                                                                                                                      circumstance, access to IDMS\n                                                                                                                      was controlled through the\n                                                                                                                      ACF2 utility. None of the three\n                                                                                                                      account holders had access to\n                                                                                                                      ACF2.\n                                                                                                                      DFAS TSOPE technical support\n                                                                                                                      personnel had unrestricted\n                                                                                                                      access to flat files that contain\n                                                                                                                      DCPS customer data sent for\n                                                                                                                      processing or DCPS files that\n                                                                                                                      contain payroll, bank account,\n                                                                                                                      and other personal information.\n                                                                                                                      The technical support personnel\n                                                                                                                      had the ability to edit data\n                                                                                                                      within flat files. As a mitigating\n                                                                                                                      circumstance, audit logs\n                                                                                                                      recorded the date, time, and user\n                                                                                                                      identification of the person\n                                                                                                                      accessing the flat files; however,\n                                                                                                                      the audit logs did not record the\n                                                                                                                      type of change that had been\n                                                                                                                      made.\n                                                                                                                      In addition, as part of the\n                                                                                                                      payroll process, file balancing\n                                                                                                                      would identify any changes to\n                                                                                                                      amounts within the flat files.\n\n24    Telecommunications controls are   DECC SMC Mechanicsburg                     DISA                               No relevant exceptions noted.\n      properly implemented in\n      accordance with granted           Remote access to the Internet is           Confirmed through inquiry and\n      authorizations.                   regulated by positive technical controls   inspection of policy that\n                                        (including firewalls, routers, and proxy   telecommunications controls were\n                                        services and screened subnets, also        implemented.\n                                        called demilitarized zones [DMZ]), or\n\n                                                                      68\n\x0cNo.   Control Objectives                   Control Activities                          Tests Performed                           Results of Testing\n                                           through systems that are isolated from      Observed the existence of intrusion\n                                           all other DoD information systems           detection telecommunication\n                                           through physical means.                     monitoring controls.\n                                           There is a remote dial-in router            Obtained firewall rules to document\n                                           provided for SAs which require Secure       acceptable telecommunication\n                                           Shell restrictions. Enterprise Security     protocols and compared them with\n                                           Manager is installed on some of these       policy to confirm compliance.\n                                           systems.\n\n25    Procedures are in place to clear     DECC SMC Mechanicsburg                      DISA                                      No relevant exceptions noted.\n      sensitive information and\n      software from computers, disks,      All documents, equipment, and               Requested and inspected the\n      and other equipment or media         machine-readable media containing           Disposition of Unclassified DoD\n      when they are disposed of or         sensitive data are cleared and sanitized    Computer Hard Drives policy and\n      transferred for other use.           before being released. A signature is       confirmed the policy was followed.\n                                           required to certify the destruction of\n                                           such media.                                 Observed that media was stored in a\n                                                                                       secure room before the media was\n                                                                                       cleared or destroyed.\n                                                                                       Observed the procedures in place to\n                                                                                       clear or destroy equipment and media.\n\n26    Audit trails are maintained in the   DECC SMC Mechanicsburg and                  DISA                                      No relevant exceptions noted.\n      application, operating system,       DFAS TSOPE\n      and database.                                                                    Confirmed through inquiry that audit\n                                           A security audit trail that documents       trails were maintained for the\n                                           the identity of each person or device       application and operating system.\n                                           having access to a system, the time of\n                                           that access, user activity, and any         Inspected available audit trails and\n                                           actions which attempt to change             determined that the activities of users\n                                           established security levels or privileges   with root access were logged. In\n                                           for the user is implemented for each        addition, confirmed that failed login\n                                           system.                                     attempts were recorded in the audit log\n                                                                                       in accordance with DoD 8500.2.\n                                                                                       Confirmed through inquiry and\n                                                                                       observation that audit trails were\n                                                                                       maintained for at least 5 years.\n                                                                                       DFAS\n                                                                                       Confirmed through inquiry that audit\n                                                                                       trails were maintained for the\n                                                                                       application.\n\n\n                                                                          69\n\x0cNo.   Control Objectives                   Control Activities                          Tests Performed                            Results of Testing\n                                                                                       Inspected available audit trails and\n                                                                                       determined that the activities of users\n                                                                                       with root access were logged. In\n                                                                                       addition, confirmed that failed login\n                                                                                       attempts were recorded in the audit log\n                                                                                       in accordance with DoD 8500.2.\n                                                                                       Confirmed through inquiry and\n                                                                                       observation that audit trails were\n                                                                                       maintained for at least 5 years.\n\n27    The contents of audit trails are     DECC SMC Mechanicsburg                      DISA                                       No relevant exceptions noted.\n      protected against unauthorized\n      access, modification, or deletion.   Contents of audit trails are protected in   Requested policy related to the\n                                           accordance with STIGs and the DISA          protection of audit trails.\n                                           Computing Services Security\n                                           Handbook.                                   Confirmed that policy limits access to\n                                                                                       audit trails to individuals with a need-\n                                           User authorization for access to various    to-know based on job responsibilities\n                                           systems is identified in each               described on the SAAR form.\n                                           individual\xe2\x80\x99s new user agreement\n                                           (completed when account is created).        Confirmed through inquiry and\n                                                                                       observation that audit logs included\n                                           DFAS TSOPE                                  activities that might modify, bypass, or\n                                                                                       negate safeguards controlled by the\n                                           Adheres to DITSCAP requirements for         system. In addition, confirmed that\n                                           system access and content, retention,       audit trails were protected against\n                                           and protection of audit trails. The most    unauthorized access, modification, or\n                                           recent testing of compliance with           deletion.\n                                           DITSCAP guidance is contained in the\n                                           DCPS SSAA, Appendices H and P.              Observed that only a select or limited\n                                                                                       number of individuals (including the\n                                                                                       Information Assurance Manager, the\n                                                                                       Assistant Information Assurance\n                                                                                       Manager, Database Administrator, and\n                                                                                       SA) had access to the audit trails.\n                                                                                       DFAS\n                                                                                       Requested policy related to the\n                                                                                       protection of audit trails.\n                                                                                       Confirmed that policy limits access to\n                                                                                       audit trails to individuals with a need-\n                                                                                       to-know based on job responsibilities\n                                                                                       described on the SAAR form.\n\n\n                                                                          70\n\x0cNo.   Control Objectives              Control Activities                       Tests Performed                            Results of Testing\n                                                                               Confirmed through inquiry and\n                                                                               observation that audit logs included\n                                                                               activities that might modify, bypass, or\n                                                                               negate safeguards controlled by the\n                                                                               system. In addition, confirmed the\n                                                                               audit trails were protected against\n                                                                               unauthorized access, modification, or\n                                                                               deletion.\n                                                                               Observed that only a select or limited\n                                                                               number of individuals (including the\n                                                                               Information System Security Officer\n                                                                               and Information Assurance Manager)\n                                                                               had access to the audit trails.\n\n28    Tools are available to review   DECC SMC Mechanicsburg                   DISA                                       No relevant exceptions noted.\n      audit records and generate\n      reports from audit records.     Tools are available for review through   Inquired with security personnel and\n                                      System Management Facility and           inspected the audit tools available for\n                                      ACF2 reports.                            reviewing audit records.\n                                                                               Determined whether a reporting\n                                                                               function is available and, if so,\n                                                                               identified the types of reports being\n                                                                               generated and reviewed.\n\n29    Actual or attempted             DECC SMC Mechanicsburg                   DISA                                       No relevant exceptions noted.\n      unauthorized, unusual, or\n      sensitive network access is     ACF2 is maintained at DECC SMC           Obtained copies of the policies and\n      monitored, and suspicious or    Mechanicsburg and at the payroll         procedures relating to access controls.\n      irregular access activity is    offices by various SAs with differing\n      investigated, and appropriate   roles (for example, administration or\n      action taken.                   user accounts). The logs are centrally   Inquired with the SA to confirm that\n                                      reviewed at DECC SMC                     system access (including unauthorized,\n                                      Mechanicsburg. Multiple unsuccessful     unusual, or sensitive access) was\n                                      login attempts result in the account     monitored.\n                                      being locked. If the account is unused\n                                      for a specified period, the account is   Inquired with the SA to confirm that\n                                      deactivated.                             suspicious or irregular access activity\n                                                                               was investigated, and appropriate\n                                                                               actions were taken.\n\n\n\n\n                                                                   71\n\x0cNo.   Control Objectives                  Control Activities                           Tests Performed                            Results of Testing\n                                                                                       Obtained and inspected evidence\n                                                                                       (including audit log reviews and\n                                                                                       incident reports) to confirm that\n                                                                                       investigations and actions were taking\n                                                                                       place.\n\n30    The acquisition, development, or    DECC SMC Mechanicsburg                       DISA                                       No relevant exceptions noted.\n      use of mobile code in DoD\n      systems meets current guidelines,   Use of mobile code is only permitted         Inspected the DoD systems guidelines,\n      standards, and regulations.         after a risk assessment, categorization      standards, and regulations concerning\n                                          of the mobile code, and counter              mobile code.\n                                          measures have been implemented, and\n                                          only when a waiver has been obtained         Inquired with the SA to confirm that\n                                          from the responsible Chief Information       the acquisition, development, or use of\n                                          Officer\xe2\x80\x99s office.                            mobile code in DoD systems meets\n                                                                                       current guidelines, standards, and\n                                                                                       regulations.\n                                                                                       Inspected the National Information\n                                                                                       Assurance Partnership website and\n                                                                                       confirmed that the website provided a\n                                                                                       list of approved products.\n\n31    All servers, workstations, and      DECC SMC Mechanicsburg                       DISA                                       No relevant exceptions noted.\n      mobile computing devices\n      implement virus protection that     Anti-virus software is installed on          Observed that all servers, workstations,\n      includes a capability for           personal computers, laptops, and             and mobile computing devices\n      automatic updates.                  systems under DECC SMC                       implement virus protection that\n                                          Mechanicsburg control.                       included a capability for automatic\n                                                                                       updates at all DCPS locations.\n                                                                                       Obtained print screens as evidence that\n                                                                                       virus protection settings were\n                                                                                       configured.\n\n32    All Virtual Private Network         DECC SMC Mechanicsburg                       DISA                                       No relevant exceptions noted.\n      traffic is visible to the network\n      IDS.                                Information security scanner Real            Inquired with the SA to confirm that all\n                                          Secure is installed at various points that   Virtual Private Network traffic was\n                                          give visibility into the network traffic     visible to the network IDS.\n                                          ingressing and egressing the DISA\n                                          enclave.                                     Inspected the system network diagram\n                                                                                       and inquired of the SA to confirm that\n                                                                                       Virtual Private Network traffic was\n                                                                                       included on the diagram.\n\n\n                                                                         72\n\x0cNo.   Control Objectives                  Control Activities                        Tests Performed                           Results of Testing\n\n33    At a minimum, medium-robust         DECC SMC Mechanicsburg                    DISA                                      No relevant exceptions noted.\n      commercial off-the-shelf (COTS)\n      IA and IA-enabled products are      Appropriate IA products are used to       Inquired with key personnel to confirm\n      used to protect sensitive           protect sensitive information when the    that at a minimum, medium-robust\n      information when the                information transits public networks or   COTS IA and IA-enabled products\n      information transits public         the system handling the information is    were used to protect sensitive\n      networks or the system handling     accessible by individuals who are not     information when the information\n      the information is accessible by    authorized to access the information on   transits public networks or the system\n      individuals who are not             the system.                               handling the information was\n      authorized to access the                                                      accessible by individuals who were not\n      information on the system.                                                    authorized to access the information on\n                                                                                    the system for each of the DCPS\n                                                                                    locations.\n\n34    Unless there is an overriding       DECC SMC Mechanicsburg                    DISA                                      DECC SMC Mechanicsburg\n      technical or operational problem,\n      workstation screen-lock             Workstations are locked systematically    Confirmed with the Network                Screen-lock functionality was\n      functionality is applied to each    after a period of inactivity in           Administrator the type of operating       not applied on 2 of\n      workstation.                        accordance with DoD                       system personnel used.                    45 workstations inspected at\n                                          Instruction 8500.2. A password is                                                   DECC SMC Mechanicsburg.\n                                          required to unlock the workstation.       Confirmed through observation that        As a mitigating circumstance,\n                                                                                    workstation screen-lock functionality     DECC SMC Mechanicsburg has\n                                          DFAS TSOPE                                was applied.                              physical access controls in place\n                                          The Desktop Management Initiative         DFAS                                      that limit unauthorized access to\n                                          (not associated with TSOPE) controls                                                workstations.\n                                          the configuration of all DFAS             Confirmed with the Network\n                                          computers, including the operating        Administrator the type of operating\n                                          system and the application of             system personnel used.\n                                          screen-lock functionality.                Confirmed through observation that\n                                                                                    workstation screen-lock functionality\n                                                                                    was applied.\n\n35    Instant messaging traffic to and    DECC SMC Mechanicsburg                    DISA                                      No relevant exceptions noted.\n      from users that are independently\n      configured by end users and that    Use of instant messaging applications     Inquired with personnel to confirm that\n      interact with a public service      is not permitted and network personnel    policy prohibits the use of instant\n      provider is prohibited within       monitor common firewall and system        messaging.\n      DoD information systems.            ports to identify and eliminate the use\n                                          of instant messaging applications.        Inquired of network personnel the\n                                                                                    methods used to control instant\n                                                                                    messaging.\n\n\n\n\n                                                                       73\n\x0cNo.   Control Objectives                   Control Activities                        Tests Performed                           Results of Testing\n                                           DFAS TSOPE                                Requested and inspected firewall rules\n                                                                                     to confirm instant messaging was\n                                           Desktop Management Initiative             blocked.\n                                           controls the configuration of computers\n                                           so instant messaging programs are not     DFAS\n                                           authorized. TSOPE monitors\n                                           application usage through an              Inquired with personnel to confirm that\n                                           automated software auditing               policy prohibits the use of instant\n                                           application that runs regularly when      messaging.\n                                           users login to their workstation.         Inquired of network personnel the\n                                           Instant messaging programs are            methods used to control instant\n                                           identified as part of that auditing       messaging.\n                                           process.\n                                                                                     Requested and inspected firewall rules\n                                                                                     to confirm instant messaging was\n                                                                                     blocked.\n\n36    For automated information            DECC SMC Mechanicsburg and                DISA                                      No relevant exceptions noted.\n      system applications, a list of all   DFAS TSOPE\n      (potential) hosting enclaves is                                                Inspected the DECC SMC\n      developed and maintained along       All interconnections of DoD               Mechanicsburg SSAA to confirm the\n      with evidence of deployment          information systems are managed           DCPS enclave was identified and\n      planning and coordination and        continuously to minimize risk by          documented.\n      with the exchange of connection      ensuring that the assurance of one\n                                           system is not undermined by               DFAS\n      rules and requirements.\n                                           vulnerabilities of interconnected         Inspected the Service-Level agreement\n                                           systems.                                  between DISA and DFAS to confirm\n                                                                                     that deployment planning and\n                                                                                     coordination have been considered\n                                                                                     along with the exchange of connection\n                                                                                     rules and requirements.\n\n37    Group authenticators for             DECC SMC Mechanicsburg and                DISA                                      No relevant exceptions noted.\n      application or network access        DFAS TSOPE\n      may be used only in conjunction                                                Confirmed through inquiry that\n      with an individual authenticator.    Group authenticators are not used for     authenticators for application,\n                                           DCPS or network access. Upon initial      networks, or operating systems were\n                                           system login, a user\xe2\x80\x99s actions are        not used.\n                                           tracked based on the individual\xe2\x80\x99s\n                                           unique user account.                      DFAS\n                                                                                     Confirmed through inquiry that group\n                                                                                     authenticators for applications and\n                                                                                     networks were not used.\n\n\n\n                                                                        74\n\x0cNo.   Control Objectives                   Control Activities                       Tests Performed                           Results of Testing\n\n38    To help prevent inadvertent          DECC SMC Mechanicsburg                   DISA                                      No relevant exceptions noted.\n      disclosure of controlled\n      information, all contractors and     Exchange Server Administration           Obtained a listing of contractors\xe2\x80\x99 and\n      foreign nationals are identified     includes the specific configuration of   foreign nationals\xe2\x80\x99 e-mail addresses and\n      by e-mail addresses and display      e-mail addresses and display names for   display names to confirm that proper\n      names.                               contractors and foreign nationals.       identification was present for those\n                                                                                    with access to DCPS.\n\n39    Unclassified, sensitive data         DECC SMC Mechanicsburg                   DISA                                      DFAS TSOPE\n      transmitted through a\n      commercial or wireless network       Encryption data streams are in the       Inquired of security personnel whether    Sensitive but unclassified\n      are encrypted using National         process of conforming to standards in    DCPS data were transmitted through a      payroll and personnel data\n      Institute of Standards and           the Federal Information Processing       commercial or wireless network.           transmitted within DoD internal\n      Technology-certified                 Standards Publication 140-2, \xe2\x80\x9cSecurity                                             networks were not encrypted.\n                                           Requirements for Cryptographic           Inquired of security personnel to\n      cryptography.                                                                 confirm that National Institute of        In addition, data transmitted\n                                           Modules.\xe2\x80\x9d\n                                                                                    Standards and Technology                  outside DoD internal networks\n                                                                                    cryptography was used to protect          are not encrypted unless DFAS\n                                                                                    information when the information was      requests data encryption.\n                                                                                    transmitted over commercial or\n                                                                                    wireless networks.\n\n40    Discretionary access controls are    DECC SMC Mechanicsburg                   DISA                                      DECC SMC Mechanicsburg\n      a sufficient IA mechanism for\n      connecting DoD information           The DECC SMC Mechanicsburg               Inspected the ACF2 access list of all     Of the 45 SAAR forms\n      systems operating at the same        enclave SSAA requires that access to     individuals who had direct access to      reviewed, 4 forms did not\n      classification, but with different   all DoD information systems are based    the DCPS system software and selected     include justification for granting\n      need-to-know access rules.           on a demonstrated need-to-know and is    a random sample 45 of users with          access to DCPS. In addition, 1\n                                           granted in accordance with applicable    direct access.                            of the 45 SAAR forms reviewed\n                                           laws and DoD 5200.2-R for                                                          did not indicate the organization\n                                           background investigations, special                                                 requesting access for the user.\n                                           access, and IT position designations.\n                                           An appropriate security clearance and\n                                           non-disclosure agreement are also\n                                           required for access to classified\n                                           information in accordance with DoD\n                                           5200.1-R.\n\n\n\n\n                                                                        75\n\x0cNo.   Control Objectives                   Control Activities                         Tests Performed                           Results of Testing\n\n41    Conformance testing that             DECC SMC Mechanicsburg                     DISA                                      DISA FSO\n      includes periodic, unannounced,\n      in-depth monitoring, and             DECC SMC Mechanicsburg performs            Confirmed through inquiry that            An SRR was not completed\n      provides for specific penetration    monthly retina scans to check for any      conformance testing is performed and      within the last 3 years for the\n      testing to ensure compliance with    DCPS network vulnerabilities. DCPS         includes periodic, unannounced, in-       LPAR where the DCPS\n      all vulnerability mitigation         and its hardware are reviewed for STIG     depth monitoring, and provides for        application was housed.\n      procedures is planned, scheduled,    compliance through periodic SRRs that      specific penetration testing to confirm\n      and conducted.                       are conducted by the FSO on the DCPS       compliance with all vulnerability\n                                           mainframe domain.                          mitigation procedures was planned,\n                                                                                      scheduled, and conducted.\n                                                                                      Obtained and inspected documentation\n                                                                                      produced from this conformance\n                                                                                      testing (including information security\n                                                                                      scans) as evidence that penetration\n                                                                                      testing was completed.\n\n42    All users are warned that they are   DECC SMC Mechanicsburg and                 DISA and DFAS                             No relevant exceptions noted.\n      entering a Government                DFAS TSOPE\n      information system.                                                             Observed that workstations display a\n                                           All DISA networks and platforms            DoD warning banner.\n                                           present a message to users upon login,\n                                           which warns them that they are\n                                           entering a Government information\n                                           system, and are provided with\n                                           appropriate privacy and security\n                                           notices to include statements informing\n                                           them that they are subject to\n                                           monitoring, recording, and auditing.\n\n43    Information and DoD                  DISA DECC SMC Mechanicsburg                DISA                                      DFAS TSOPE\n      information systems that store,\n      process, transmit, or display data   Information on DoD systems that store,     Observed and conducted a walk-            Sensitive but unclassified pay\n      in any form or format that is not    process, transit, or display data in any   through of the DECC SMC                   and personnel data transmitted\n      approved for public release          format that is not approved for public     Mechanicsburg data center, including      within DoD internal networks\n      comply with requirements in          release complies with DoD policy.          onsite tape storage areas, to confirm     were not encrypted.\n      policy.                                                                         that labels indicating classification\n                                           Access to all DoD information systems      level were affixed to all computers and   In addition, data transmitted\n                                           is based on a demonstrated need-to-        storage devices.                          outside DoD internal networks\n                                           know and is granted in accordance with                                               are not encrypted unless DFAS\n                                           applicable laws and DoD 5200.2-R for       Inquired with security personnel to       requests data encryption.\n                                           background investigations, special         confirm that information in-transit\n                                           access, and IT position designations.      through the network was encrypted.\n\n\n\n                                                                         76\n\x0cNo.   Control Objectives                   Control Activities                         Tests Performed                           Results of Testing\n      Guidance documents and                                                          Inquired with security personnel to\n      information in transit through a                                                confirm the use of a network\n      network at the same                                                             monitoring tool.\n      classification level, but which\n      must be separated for need-to-\n      know reasons, are encrypted, at a\n      minimum, with National Institute\n      of Standards and Technology\n      certified cryptography.\n\n44    Connections between DoD              DECC SMC Mechanicsburg                     DISA                                      No relevant exceptions noted.\n      enclaves and the Internet or other\n      public or commercial-wide area       Perimeter firewalls, routers, and IDSs     Inspected the system architecture to\n      networks require a DMZ and           are deployed.                              confirm that connections between DoD\n      boundary defense mechanisms                                                     enclaves and the Internet were\n                                           DoD information systems regulate           configured with a DMZ and boundary\n      (including firewalls and network     access and remove access to the\n      IDSs) at the enclave boundary.                                                  defense mechanisms (including\n                                           Internet by employing positive             firewalls and network IDSs) at the\n                                           technical controls (including proxy        enclave boundary.\n                                           services and screened subnets [also\n                                           called a DMZ]) that are isolated from      Inspected the system network diagram\n                                           all other DoD information systems          and inquired of the SA to confirm that\n                                           through physical means.                    a DMZ and other defense mechanisms\n                                                                                      are employed.\n                                                                                      Observed the existence of firewalls and\n                                                                                      IDS devices.\n\n45    Devices that display or output       DECC SMC Mechanicsburg                     DISA and DFAS                             DFAS TSOPE\n      classified or sensitive\n      information in human-readable        Devices that display or output sensitive   Observed that monitors and printers       Printers at the DFAS TSOPE\n      form (monitors and printers) are     information are labeled to indicate        displaying sensitive information were     facility that output sensitive\n      positioned to deter unauthorized     whether sensitive information can be       positioned to deter unauthorized          information in human-readable\n      individuals from reading the         displayed.                                 individuals from reading the              form were not properly\n      information.                                                                    information.                              positioned to deter unauthorized\n                                           DFAS TSOPE                                                                           individuals from accessing or\n                                           Access to systems containing sensitive                                               reading the information. As a\n                                           information display warning banners                                                  mitigating circumstance,\n                                           upon login to warn authorized users,                                                 physical controls are in place at\n                                           and unauthorized users are denied                                                    the facility restricting access to\n                                           access while attempting to login to the                                              the unauthorized personnel.\n                                           system.\n\n\n\n\n                                                                         77\n\x0cNo.   Control Objectives                  Control Activities                          Tests Performed                             Results of Testing\n                                          Individuals who print sensitive\n                                          information in human-readable form\n                                          have localized printers. Each user that\n                                          prints sensitive data in human-readable\n                                          form is accountable for security in\n                                          handling that information.\n\n46    Individuals requiring access to     DECC SMC Mechanicsburg                      DISA                                        DECC SMC Mechanicsburg\n      sensitive information are\n      processed for access                The DECC SMC Mechanicsburg                  Requested, obtained, and inspected the      Of the 45 SAAR forms\n      authorization in accordance with    enclave SSAA requires system users to       policies and procedures for gaining         reviewed, 4 forms did not\n      DoD personnel security policies.    be subjected to various levels of           access to sensitive information.            include justification for granting\n                                          personnel security investigations based                                                 access to DCPS. In addition,\n                                          on the level of access or privileges they   Obtained the ACF2 listing of all            one of the 45 SAAR forms\n                                          have within the systems. The higher         personnel with access to DCPS.              reviewed did not indicate the\n                                          the level of access, the more stringent     Selected a random sample of 45 users        organization requesting access\n                                          the required investigation becomes. At      with access to DCPS to inspect their        for the user.\n                                          a minimum, all DECC SMC                     SAAR forms to confirm that each\n                                          Mechanicsburg employees (military,          SAAR form includes the user\xe2\x80\x99s\n                                          civilian, or contractors) will have a       justification for access, security\n                                          SECRET security clearance and a             clearance level, and approval from\n                                          favorably completed National Agency         management.\n                                          check.\n\n47    DoD information systems             DECC SMC Mechanicsburg                      DISA                                        No relevant exceptions noted.\n      comply with DoD ports,\n      protocols, and services guidance.   DCPS-related ports, protocols, and          Inquired of DECC SMC\n                                          services are configured according to        Mechanicsburg personnel and observed\n                                          DoD guidance.                               network monitoring to confirm that\n                                                                                      DoD information systems comply with\n                                                                                      DoD ports, protocols, and services\n                                                                                      guidance, including all ports, protocols,\n                                                                                      and services whether currently active\n                                                                                      or planned for use.\n                                                                                      Confirmed that ports, protocols, and\n                                                                                      services were identified and registered.\n                                                                                      Inspected documentation to support\n                                                                                      that DCPS had gone through the DISA\n                                                                                      STIG process.\n\n\n\n\n                                                                        78\n\x0cNo.   Control Objectives                 Control Activities                        Tests Performed                            Results of Testing\n\n48    Binary or machine-executable       DISA DECC SMC Mechanicsburg               DISA                                       No relevant exceptions noted.\n      public domain software products\n      and other software products with   Public domain software products and       Inspected a listing of software products\n      limited or no warranty are not     other software products with limited or   and confirmed through inquiry of\n                                         no warranty (including freeware or        management that the mainframe\n                                         shareware) are only used in DoD           housing DCPS did not have binary or\n                                         information systems to meet\n      used in DoD information            compelling operational requirements.      machine-executable public domain\n      systems.                                                                     software and other software products\n                                         Those products are thoroughly assessed    with limited or no warranty installed on\n                                         for risk and accepted for use by the      the mainframe.\n                                         responsible Designated Approving\n                                         Authority.\n\n      Application Software\n      Development and Change\n      Control\n\n49    A system development life cycle    DFAS TSOPE                                DFAS                                       No relevant exceptions noted.\n      methodology has been\n      implemented and documented.        A defined configuration management        Inspected the configuration\n                                         process is in place at DFAS TSOPE.        management plan to confirm that the\n                                         The process is documented in the          plan had been documented.\n                                         DCPS SSAA, Appendix S. Included\n                                         within the plan are:                      Inquired of DFAS TSOPE personnel to\n                                                                                   confirm that a configuration\n                                             \xe2\x80\xa2   formally documented               management process was implemented\n                                                 configuration management          and includes the following:\n                                                 roles, responsibilities, and\n                                                 procedures, including                 \xe2\x80\xa2    formally documented\n                                                 management of IA                           configuration management\n                                                 information and                            roles, responsibilities, and\n                                                 documentation;                             procedures, including\n                                                                                            management of IA\n                                             \xe2\x80\xa2   detailed roles of the CCB,                 information and\n                                                 including its roles for                    documentation;\n                                                 reviewing and approving\n                                                 changes; and                          \xe2\x80\xa2    detailed roles of the CCB,\n                                                                                            including its roles for\n                                                                                            reviewing and approving\n                                                                                            changes; and\n\n\n\n\n                                                                      79\n\x0cNo.   Control Objectives                 Control Activities                       Tests Performed                          Results of Testing\n                                             \xe2\x80\xa2   descriptions of the testing          \xe2\x80\xa2   descriptions of the testing\n                                                 process that all changes must            process that all changes must\n                                                 go through, including the                go through, including the\n                                                 migration of the change from             migration of the change from\n                                                 the development region to the            the development region to the\n                                                 testing region and the testing           testing region and the testing\n                                                 region to production                     region to production\n                                                 environment.                             environment.\n\n50    Authorizations for software        DFAS TSOPE                               DFAS                                     No relevant exceptions noted.\n      modifications are documented\n      and maintained. This should also   A Configuration Management Plan is       Requested the list of program code and\n      include emergency changes.         implemented for software                 database modifications made to the\n                                         modifications contained in the DFAS      DCPS production code library during\n                                         TSOPE Business Process Handbook,         the period July 1, 2005, through\n                                         updated October 23, 2005.                June 30, 2006.\n                                         All modifications go through the         We examined a random sample of\n                                         system change request (SCR) process      45 modifications to an approved SCR\n                                         and receive proper approval prior to     and confirmed through inspection that\n                                         implementation, including emergency      SCR was authorized by the Program\n                                         changes made during business hours.      Manager or Software Director. We\n                                         Emergency changes that arise during      also tracked each SCR identified above\n                                         non-business hours may be                to the Release Authorization Report to\n                                         implemented prior to SCR approval;       confirm that it was approved by the\n                                         however, the change is run through the   Software Director.\n                                         SCR process at the start of the next\n                                         business day.\n\n51    Use of public domain and           DFAS TSOPE                               DFAS                                     No relevant exceptions noted.\n      personal software is restricted.\n                                         Does not allow any use of public         Inspected policy (DCPS SSAA) to\n                                         domain or personal software. DCPS is     confirm that personal software is\n                                         housed on a DISA mainframe and all       restricted.\n                                         utilities necessary are on that\n                                         mainframe.                               Requested a listing of approved\n                                                                                  software.\n                                                                                  Inquired with system personnel to\n                                                                                  determine how this requirement was\n                                                                                  enforced.\n\n\n\n\n                                                                      80\n\x0cNo.   Control Objectives                    Control Activities                        Tests Performed                           Results of Testing\n\n52    Changes are controlled as             DFAS TSOPE                                DFAS                                      DFAS TSOPE\n      programs progress through\n      testing to final approval to ensure   Testing changes follows the approved      Using the same sample selected for        Of the 45 SCRs inspected,\n      completeness, authorization, and      process outlined in the DFAS TSOPE        control objective No. 50, we confirmed    7 changes did not include\n      software quality requirements         Business Process Handbook prior to        that the change followed the              documented test results. Of the\n      and validation methods are            implementation.                           appropriate test and migration process    seven changes:\n      focused on the minimization of                                                  by inspecting the following documents\n                                            A Testing Deficiency Report is issued                                                   \xe2\x80\xa2    five were program\n      flawed or malformed software.                                                   for completeness, authorization, and\n                                            for SCRs with negative test results and   software quality requirements:                     code changes,\n      Software that can negatively          the Testing Deficiency Report is routed\n                                            to the appropriate individuals. If            \xe2\x80\xa2   System Test Plan;                     \xe2\x80\xa2    one was an SCR\n      impact integrity or availability                                                                                                   addendum, and\n                                            necessary, an amendment is issued and\n      (for example, buffer overruns) is\n                                            progresses through the same approval          \xe2\x80\xa2   Detailed System\n      specified for all software                                                                                                    \xe2\x80\xa2    one was an interest\n                                            process as an SCR.                                Specifications; and\n      development initiatives.                                                                                                           rate table change.\n                                                                                          \xe2\x80\xa2   Unit, System, and Acceptance\n                                                                                              testing results.\n                                                                                      Inquired of DCPS security personnel as\n                                                                                      to their roles and responsibilities for\n                                                                                      releasing security-related changes\n                                                                                      included in DCPS releases.\n                                                                                      Observed release notes for all major\n                                                                                      DCPS production releases that\n                                                                                      occurred July 1, 2005, through June 30,\n                                                                                      2006.\n\n53    Distribution and implementation       DFAS TSOPE                                DFAS                                      No relevant exceptions noted.\n      of new or revised software is\n      controlled.                           Release management staff is               Using the same sample selected for\n                                            responsible for the distribution and      control objective No. 50, we confirmed\n                                            implementation of new and revised         that the change followed the\n                                            software.                                 appropriate distribution process by\n                                                                                      inspecting the Release Authorization\n                                                                                      Report for completeness and\n                                                                                      authorization.\n\n54    Programs are labeled and              DFAS TSOPE                                DFAS                                      No relevant exceptions noted.\n      inventoried.\n                                            Release management staff is               Using the same sample selected for\n                                            responsible for ensuring that all         control objective No. 50, we confirmed\n                                            programs are labeled and inventoried      that the changes had been labeled,\n                                            within the appropriate library.           assigned an identification number, and\n                                                                                      inventoried.\n\n\n                                                                          81\n\x0cNo.   Control Objectives                 Control Activities                        Tests Performed                           Results of Testing\n\n55    Access to program libraries is     DFAS TSOPE                                DFAS                                      DFAS TSOPE\n      restricted to appropriate\n      personnel to ensure that the       The SA manages access rights to the       Observed the DCPS Librarian to            DFAS TSOPE Database\n      movement of programs and data      program libraries and databases           understand how the development and        Administrators had unrestricted\n      among libraries is controlled.     through ACF2. The Database                production libraries are controlled.      access and made changes\n                                         Administrator grants access to the                                                  directly to payroll data recorded\n                                         appropriate development or production     Inspected the access control lists for    in IDMS by using a Data\n                                         environments through IDMS. IDMS           the production and development            Manipulation Language Online\n                                         controls the version of the software in   libraries (directories) to confirm that   tool. Although those changes\n                                         the development and production            only authorized personnel have access.    were recorded in an audit log,\n                                         environments.                                                                       TSOPE management did not\n                                                                                                                             review those logs regularly to\n                                                                                                                             determine whether the changes\n                                                                                                                             were appropriate and approved.\n                                                                                                                             In addition, three active user\n                                                                                                                             accounts on the IDMS user\n                                                                                                                             access list were identified;\n                                                                                                                             however, those accounts were\n                                                                                                                             not associated with personnel\n                                                                                                                             who needed that type of access.\n                                                                                                                             Specifically, one account was\n                                                                                                                             for an individual no longer\n                                                                                                                             employed by DFAS TSOPE,\n                                                                                                                             one account was a duplicate\n                                                                                                                             account, and one account was\n                                                                                                                             for an individual that no longer\n                                                                                                                             required that level of access.\n                                                                                                                             However, as a mitigating\n                                                                                                                             circumstance, access to IDMS\n                                                                                                                             was controlled through the\n                                                                                                                             ACF2 utility. None of the three\n                                                                                                                             account holders had access to\n                                                                                                                             ACF2.\n\n56    Acquisition or outsourcing of IT   DFAS TSOPE                                DFAS                                      No relevant exceptions noted.\n      services explicitly addresses\n      Government, service provider,      The Service-Level agreement between       Inspected the Service-Level agreement\n      and end-user IA roles and          DFAS and DECC SMC                         to confirm that the agreement expressly\n      responsibilities.                  Mechanicsburg explicitly states the IA    addresses Government, service\n                                         roles and responsibilities of the         provider, and end-user IA roles and\n                                         customer and service provider.            responsibilities.\n\n\n\n                                                                      82\n\x0cNo.   Control Objectives                  Control Activities                        Tests Performed                           Results of Testing\n                                          Data are collected to support reporting\n                                          and IA management activities\n                                          throughout the investment lifecycle.\n\n57    The acquisition of all IA and IA-   DFAS TSOPE                                DFAS                                      No relevant exceptions noted.\n      enabled Government off-the-\n      shelf IT products is limited to     The System Support Office is              Confirmed through inquiry that DFAS\n      products that have been             responsible for reviewing and             verified that products were verified by\n      evaluated by NSA or are in          approving all COTS and Government         NSA or conducted an evaluation in\n      accordance with NSA-approved        off-the-shelf IT products.                accordance with NSA-approved\n      processes.                                                                    processes for all IA-related products.\n                                                                                    Inspected the National Information\n                                                                                    Assurance Partnership website and\n                                                                                    confirmed a list of approved products.\n\n      System Software Controls\n\n58    Access authorizations are           DECC SMC Mechanicsburg                    DISA                                      No relevant exceptions noted.\n      appropriately limited.\n                                          User accounts are suspended after         Inspected the policies and procedures\n                                          30 days of no activity (60 days for       for restricting access to system\n                                          TSOPE and payroll offices) and are        software to confirm that they were up-\n                                          removed after 90 days. Accounts are       to-date.\n                                          issued by local SAs. User access\n                                          administration controls are tested in     Obtained the ACF2 access list of all\n                                          multiple control objectives, primarily    individuals who had direct access to\n                                          in the Access Control section of this     system software and selected a random\n                                          report.                                   sample of 45 users with direct access.\n                                                                                    For each user selected, confirmed with\n                                                                                    key management that those users were\n                                                                                    authorized to have this access.\n\n59    Policies and techniques have        DECC SMC Mechanicsburg                    DISA                                      No relevant exceptions noted.\n      been implemented for using and\n      monitoring use of system            Access to system software is              Inquired with key DECC SMC\n      utilities.                          administered based on roles.              Mechanicsburg personnel to confirm\n                                                                                    how root and privileged access was\n                                                                                    administered.\n                                                                                    Obtained the list of individuals with\n                                                                                    root and privileged access.\n                                                                                    Inquired with management that root\n                                                                                    and privileged access was reviewed\n\n                                                                         83\n\x0cNo.   Control Objectives                  Control Activities                         Tests Performed                          Results of Testing\n                                                                                     and approved and that the use of those\n                                                                                     accounts was logged.\n                                                                                     Inspected each audit log from the\n                                                                                     DCPS LPAR for the 12-month audit\n                                                                                     period to confirm that key personnel\n                                                                                     reviewed the logs on a regular basis\n                                                                                     and that any issues identified were\n                                                                                     documented and researched.\n                                                                                     Inspected the policies and procedures\n                                                                                     for monitoring system software and\n                                                                                     confirmed that they existed and were\n                                                                                     current.\n\n60    System software changes are         DECC SMC Mechanicsburg                     DISA                                     DECC SMC Mechanicsburg\n      authorized, tested, approved, and\n      documented before                   Procedures addressing the testing of       Obtained and inspected the change        Test results were not\n      implementation.                     patches, upgrades, and new automated       management policies and procedures       documented prior to September\n                                          information system applications are        for system software to confirm that      15, 2005. During that time,\n                                          documented. All changes made at            they existed and were current.           DECC SMC Mechanicsburg\n                                          DECC SMC Mechanicsburg are                                                          was in the process of developing\n                                          captured in the Change Management          Obtained a list of all DCPS system       policy requiring that this\n                                          System (Change Management 2000).           software modifications that occurred     documentation be maintained in\n                                          Each change record includes the            July 1, 2005, through June 30, 2006,     response to recommendations\n                                          requested time and date of                 and selected a random sample of          made during the FY 2005 DCPS\n                                          implementation, the action that is to      45 modifications.                        Statement on Auditing Standard\n                                          occur, and justification for the action.   For each modification selected, we       70 audit. Therefore, the 13\n                                                                                     obtained the change request              sample changes selected during\n                                          All changes to information systems at                                               that time could not be provided.\n                                          DECC SMC Mechanicsburg are                 documentation and confirmed that it\n                                                                                     was approved by key personnel before     All changes that took place after\n                                          brought before at least one of two                                                  September 15, 2005, were\n                                          CCBs. DISA Headquarters has a              implementation.\n                                                                                                                              provided.\n                                          executive software CCB, which is           Confirmed that each modification was\n                                          responsible for reviewing all major        tested and the test results were\n                                          system changes, including new              approved before the modification was\n                                          versions, new software, and the            implemented.\n                                          removal of software. There is also a\n                                          local CCB at DECC SMC                      Confirmed that the modifications were\n                                          Mechanicsburg that meets on a weekly       documented by inspecting the SCR;\n                                          basis. The local CCB is responsible for    System Test Plan; Detailed System\n                                          reviewing all operating system             Specifications; and Unit, System, and\n                                          upgrades and fixes. The local CCB is       Acceptance testing results.\n                                          also responsible for alerting the\n                                          customer to the change and obtaining\n\n                                                                        84\n\x0cNo.   Control Objectives                Control Activities                       Tests Performed                              Results of Testing\n                                        customer approval before proceeding.\n                                        In addition, the local CCB is\n                                        responsible for maintaining the change\n                                        control records.\n                                        The DISA executive software CCB\n                                        consists of representative from DISA\n                                        Headquarters, as well as all the\n                                        DECCs. The DECC SMC\n                                        Mechanicsburg local CCB consists of\n                                        all department heads and the\n                                        Information Assurance Manager.\n\n61    Good engineering practices with   DECC SMC Mechanicsburg                   DISA                                         No relevant exceptions noted.\n      regards to the integrity\n      mechanisms of COTS,               Implemented COTS software that           Confirmed through inquiry that a\n      Government off-the-shelf, and     scans incoming and outgoing files to     controlled interface was used for\n      custom developed solutions are    insure the integrity of those files.     interconnections among DoD\n      implemented for incoming and                                               information systems that were\n      outgoing files.                                                            connected to DCPS.\n                                                                                 Observed the existence of access\n                                                                                 control lists, IDS, firewalls, encryption,\n                                                                                 and network monitoring.\n                                                                                 Confirmed through inquiry that\n                                                                                 interface inputs were automatically\n                                                                                 validated by the system for missing\n                                                                                 information, format, consistency, and\n                                                                                 reasonableness.\n                                                                                 Inquired of personnel about the system\n                                                                                 batch file process for interface inputs\n                                                                                 of control totals and line counts.\n\n\n\n\n                                                                     85\n\x0cNo.   Control Objectives                   Control Activities                      Tests Performed                            Results of Testing\n\n      Segregation of Duties\n\n62    Incompatible duties are identified   DECC SMC Mechanicsburg and              DISA and DFAS                              No relevant exceptions noted.\n      and policies implemented to          DFAS TSOPE\n      segregate those duties.                                                      Inspected the organizational chart and\n                                           Developed distinct system support       the job descriptions for IA positions at\n                                           functions to ensure there is adequate   DECC SMC Mechanicsburg and\n                                           segregation of duties.                  DFAS TSOPE in relation to DCPS to\n                                                                                   confirm that there was appropriate\n                                                                                   segregation of duties and incompatible\n                                                                                   duties did not exist.\n                                                                                   Inquired with management and\n                                                                                   inspected the organizational chart to\n                                                                                   confirm that the following distinct\n                                                                                   system support functions were\n                                                                                   performed by different individuals.\n                                                                                   Those functions include:\n                                                                                            \xe2\x80\xa2   information security\n                                                                                                management,\n                                                                                            \xe2\x80\xa2   system design,\n                                                                                            \xe2\x80\xa2   application programming,\n                                                                                            \xe2\x80\xa2   systems programming,\n                                                                                            \xe2\x80\xa2   quality assurance and\n                                                                                                testing,\n                                                                                            \xe2\x80\xa2   library management and\n                                                                                                change management,\n                                                                                            \xe2\x80\xa2   computer operations,\n                                                                                            \xe2\x80\xa2   production control and\n                                                                                                scheduling,\n                                                                                            \xe2\x80\xa2   data control,\n                                                                                            \xe2\x80\xa2   data security,\n                                                                                            \xe2\x80\xa2   data administration, and\n                                                                                            \xe2\x80\xa2   network administration.\n\n\n\n\n                                                                         86\n\x0cNo.   Control Objectives                   Control Activities                         Tests Performed                            Results of Testing\n\n63    System management job                DECC SMC Mechanicsburg and                 DISA and DFAS                              No relevant exceptions noted.\n      descriptions have been               DFAS TSOPE\n      documented.                                                                     Inspected the job descriptions for the\n                                           Developed position descriptions for        applicable types of personnel listed in\n                                           distinct system support positions exist.   control objective No. 62.\n\n64    System management employees          DECC SMC Mechanicsburg and                 DISA and DFAS                              No relevant exceptions noted.\n      understand their roles and           DFAS TSOPE\n      responsibilities.                                                               Selected a random sample of\n                                           Personnel receive and sign their           45 employees and confirmed through\n                                           position descriptions to confirm that      inquiry that they understood their roles\n                                           they are aware of their proposed           and responsibilities.\n                                           responsibilities.\n                                                                                      Observed documentation to confirm\n                                                                                      that employees had signed position\n                                                                                      descriptions.\n\n65    Management reviews                   DFAS TSOPE                                 DFAS                                       No relevant exceptions noted.\n      effectiveness of control\n      techniques.                          Management periodically reviews and        Inspected the DCPS Systems Security\n                                           updates security policies and              Policy, Security Requirements, and the\n                                           procedures.                                Certification Test and Evaluation Plan\n                                                                                      and Procedures to confirm that each\n                                                                                      document was periodically updated.\n\n66    Formal procedures guide system       DECC SMC Mechanicsburg and                 DISA and DFAS                              No relevant exceptions noted.\n      management personnel in              DFAS TSOPE\n      performing their responsibilities.                                              Inspected standard operating\n                                           Formal standard operating procedures       procedures used by personnel in\n                                           for personnel who support DCPS have        performing their job responsibilities\n                                           been developed and implemented.            with respect to DCPS.\n\n67    Access procedures enforce the        DECC SMC Mechanicsburg and                 DISA and DFAS                              No relevant exceptions noted.\n      principles of separation of duties   DFAS TSOPE\n      and \xe2\x80\x9cleast privilege.\xe2\x80\x9d                                                          Inspected the access control policies\n                                           Privilege accounts are only used by        and procedures for compliance with the\n                                           DISA and DCPS personnel to create,         principles of separation of duties and\n                                           modify, or delete user accounts.           \xe2\x80\x9cleast privilege.\xe2\x80\x9d\n\n\n\n\n                                                                         87\n\x0cNo.   Control Objectives              Control Activities                      Tests Performed                          Results of Testing\n\n68    Active supervision and review   DECC SMC Mechanicsburg                  DISA                                     No relevant exceptions noted.\n      are provided for all system\n      management personnel.           Support functions are organized based   Inspected the organizational chart to\n                                      on job responsibility to ensure         confirm that a management structure\n                                      segregation of duties.                  was established.\n                                                                              Inspected position descriptions of key\n                                                                              DCPS support personnel to confirm\n                                                                              supervisory responsibilities were\n                                                                              established.\n\n\n\n\n                                                                  88\n\x0cSection IV: Supplemental Information Provided\n              by DFAS and DISA\n\n\n\n\n                     89\n\x0c\x0c                                     Introduction\nDFAS and DISA have prepared this section and it is included to provide user\norganizations with information that DFAS and DISA believes will be of interest to such\norganizations. However, this information is not covered within the scope or control\nobjectives established for the Statement on Auditing Standard 70 review. Specifically,\nthis section includes a summary of procedures that DFAS and DISA have implemented to\nenable them to recover from a disaster affecting either the TSOPE or DECC SMC\nMechanicsburg.\n\nThis information has not been subjected to the procedures applied to the examination of\nthe description of controls presented in Sections II and III of this report. As a result, the\nDoD OIG expresses no opinion regarding the completeness and accuracy of this\ninformation.\n\nTSOPE Specific Business Continuity Plans\n\nThe DCPS production support Continuity of Operations Plan (COOP) provides a plan to\nbe implemented when a disaster or impending threat would render DCPS production\nsupport inoperable (for example, hurricanes or damage to TSOPE facilities due to fire).\nThis plan is evaluated and updated on an annual basis. If an impending threat or event\noccurs, production support control for DCPS is transferred to an alternate-processing site.\nCurrently, that site is the DISA Processing Element in Huntsville, Alabama. The COOP\nincludes the names of DCPS staff members who will serve as a pool of resources to\nexecute the plan, and it includes a list of documentation and supplies that are necessary to\nsupport the mobilized team.\n\nThe team is composed of DCPS development staff members across many divisions and\nbranches. TSOPE designates two members of the management team to be responsible for\nCOOP execution. One is mobilized with the team and is responsible for team activities\nand communication with TSOPE while deployed to the COOP recovery site. The other\nserves as the team\xe2\x80\x99s liaison at TSOPE and is responsible for relaying current operational\nstatus, current area weather conditions, and other pertinent information to the mobilized\nteam. The team is divided into two smaller teams, with each team covering a 12-hour\nshift. Team leaders are appointed for the respective shift teams. TSOPE and DCPS\nproject management staff coordinate and are involved in each step in planning and\nexecuting the COOP. Although this plan works for any type of disaster when production\nsupport becomes inoperable, it has been executed several times in the past few years\nduring disastrous weather conditions, such as hurricanes.\n\nDECC SMC Mechanicsburg Business Continuity Plans\n\nTo accommodate a major disaster at any major DISA processing center, DISA has\nestablished an Enterprise Business Continuity Program. The DISA program uses\nmultiple internal locations and, for mainframe processing, uses the Assured Computing\nEnvironment infrastructure elements located at DECC SMC Mechanicsburg and Ogden.\nDECC SMC Mechanicsburg and Ogden is equipped with computational direct access\nstorage devices and telecommunication resources necessary to provide a fully functional\nhost site with the capacity to support a major disaster at any DISA center with mainframe\nprocessing. Recovery efforts for server-based elements are hosted at DECC\nInfrastructure Services Center St Louis.\n\n\n                                              91\n\x0cThe COOP support agreement between DFAS, as the customer, and DISA, as the\nprovider of processing systems and communications services, describes a process for\nrestoring host-site processing in the event of a major disaster. The plan also addresses the\ntimely resolution of problems during other disruptions that adversely affect DCPS\nprocessing. The plan, as it relates to DCPS, details data restoration procedures for the\nMZF z/OS operating system, the DCPS IDMS, and related mid-tier servers and\ncommunication devices. Replicated data and backup tapes containing incremental daily\nand complete weekly backups are rotated offsite to designated locations for storage on a\npredetermined schedule.\n\nThe Crisis Management Team at DECC SMC Mechanicsburg is responsible for declaring\nthat a disaster has occurred and activating the Business Continuity Plan. Once a disaster\nhas been declared, the Crisis Management Team activates the following response teams:\nCommunications Team, Recovery Coordination Team, Site Recovery Team, and the\nCrisis Support Team. Each team has a specific set of responsibilities defined in the\nBusiness Continuity Plan. The contact information for each individual on each team is\nalso included in the Business Continuity Plan. The plan is required to be tested on an\nannual basis. The Business Continuity Plan was tested in November 2005 at DECC SMC\nOgden. TSOPE personnel participate in the yearly COOP exercise to ensure that the\nprocess works correctly and that documentation is updated appropriately.\n\n\n\n\n                                            92\n\x0cAcronyms and Abbreviations\n\n\nACF2      Access Control Facility 2\nCCB       Configuration Control Board\nCOOP      Continuity of Operations Plan\nCOTS      Commercial off-the-shelf\nDCPS      Defense Civilian Pay System\nDECC      Defense Enterprise Computing Center\nDFAS      Defense Finance and Accounting Service\nDISA      Defense Information Systems Agency\nDITSCAP   Department of Defense Information Technology Security\n            Certification and Accreditation Process\nDMZ       Demilitarized Zones\nDoD       Department of Defense\nEOP       Executive Office of the President\nEPA       Environmental Protection Agency\nFSO       Field Security Operations\nIA        Information Assurance\nIDMS      Integrated Database Management System\nIDS       Intrusion Detection System\nIT        Information Technology\nLPAR      Logical Partition\nMAC       Mission Assurance Category\nNSA       National Security Agency\nOIG       Office of the Inspector General\nOLQ       Online Queries\nSA        System Administrator\nSAAR      Systems Access Authorization Request\nSCR       System Change Request\nSMC       System Management Center\nSMO       System Management Office\nSRR       Security Readiness Review\nSSAA      System Security Authorization Agreement\nSTIG      Security Technical Implementation Guide\nTSOPE     Technology Services Engineering Organization in Pensacola\nTSP       Thrift Savings Plan\nVMS       Vulnerability Management System\n\n\n\n\n                                93\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, National Security Agency\nDirector, Defense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\nGeneral Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and\nRanking Minority Members\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\n\n\n                                          94\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n   Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n   and the Census, Committee on Government Reform\n\n\n\n\n                                        95\n\x0cTeam Members\nThe Defense Financial Auditing Service, Department of Defense Office of\nInspector General, in conjunction with contract auditors from Acuity Consulting,\nInc., produced this report. Personnel from the Technical Assessment Division and\nQuantitative Methods Division, DoD OIG, also contributed to the report.\n\nPaul J. Granetto\nPatricia A. Marsh\nMichael Perkins\nKenneth H. Stavenjord\nFrank C. Sonsini\nSean J. Keaney\nAnh H. Tran\nCharles S. Dekle\nErnest G. Fine\nTravis R. Schenck\nMary A. Hoover\nNicholas Drotar, Jr\nDebra J. DeJonge\nSteve L. Kohne\nAlberto J. Calimano-Colon\n\x0c"